I need some help in setting up some Azure infrastructure in Terraform.
I have app service A which is in vnetA in subnetA, and app service B in vnetB and subnetB.
AppA, vnetA, and subnetA were created manually a long time ago, and B resources I have created myself in Terraform.
I have added a virtual network peering between the two vnets, but when calling appB from appA I still get 403.
resource "azurerm_subnet" "subnetB" {
name = "subnetB"
resource_group_name = "rgB"
virtual_network_name = "vnetB"
address_prefixes = [cidrsubnet(azurerm_virtual_network.vnetB.address_space[0], 2, 1)]
delegation {
name = "appServiceDelegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
service_endpoints = ["Microsoft.Web"]
}
What am I missing?
I have gone through similar questions, in subnetB I have added both app service delegation and service endpoints as was advised (here) but this did not fix the issue.
Update: I have verified that the address spaces of these vnets do not overlap (as this is one of the possible reasons for the failure to establish vnet peering).
2
Answers
After a lot of tweaking of my Terraform code for service B (thank you Vinay B) I have found the reason I was getting 403. When I went to the Networking section of function B and looked into Inbound traffic configuration, in the list of Site access and rules, I saw this warning
and when hovering over the warning sign, I was getting this: So, it turns out that the subnet A (which I didn't manage via Terraform) did not have Microsoft.Web endpoint set up. When I added the endpoint manually, I finally started getting 200 responses.
The 403 error you’re encountering when App A calls App B, despite correctly setting up VNet peering and configuring the subnets with delegation and service endpoints, indicates that the issue may not lie with the network configuration. Instead, it could stem from how the App Services are set up to receive traffic or from the network security group (NSG) rules.
Ensure that your VNet IP ranges do not overlap. Verify that App Service B is correctly integrated into
subnetB
using VNet Integration. Given thatsubnetA
andsubnetB
are peered, App Service A should be able to communicate with App Service B, provided both are properly integrated into their respective subnets.My terraform configuration:
Deployment Succeeded: