skip to Main Content

I need some help in setting up some Azure infrastructure in Terraform.
I have app service A which is in vnetA in subnetA, and app service B in vnetB and subnetB.
AppA, vnetA, and subnetA were created manually a long time ago, and B resources I have created myself in Terraform.
I have added a virtual network peering between the two vnets, but when calling appB from appA I still get 403.

resource "azurerm_subnet" "subnetB" {
  name                 = "subnetB"
  resource_group_name  = "rgB"
  virtual_network_name = "vnetB"
  address_prefixes     = [cidrsubnet(azurerm_virtual_network.vnetB.address_space[0], 2, 1)]

  delegation {
    name = "appServiceDelegation"
    service_delegation {
        name    = "Microsoft.Web/serverFarms"
        actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }  

  service_endpoints =  ["Microsoft.Web"]
}

What am I missing?

I have gone through similar questions, in subnetB I have added both app service delegation and service endpoints as was advised (here) but this did not fix the issue.

Update: I have verified that the address spaces of these vnets do not overlap (as this is one of the possible reasons for the failure to establish vnet peering).

2

Answers


  1. Chosen as BEST ANSWER

    After a lot of tweaking of my Terraform code for service B (thank you Vinay B) I have found the reason I was getting 403. When I went to the Networking section of function B and looked into Inbound traffic configuration, in the list of Site access and rules, I saw this warning enter image description here

    and when hovering over the warning sign, I was getting this: enter image description here So, it turns out that the subnet A (which I didn't manage via Terraform) did not have Microsoft.Web endpoint set up. When I added the endpoint manually, I finally started getting 200 responses.


  2. Virtual network peering and service endpoints – how to allow two Azure app services to communicate.

    The 403 error you’re encountering when App A calls App B, despite correctly setting up VNet peering and configuring the subnets with delegation and service endpoints, indicates that the issue may not lie with the network configuration. Instead, it could stem from how the App Services are set up to receive traffic or from the network security group (NSG) rules.

    Ensure that your VNet IP ranges do not overlap. Verify that App Service B is correctly integrated into subnetB using VNet Integration. Given that subnetA and subnetB are peered, App Service A should be able to communicate with App Service B, provided both are properly integrated into their respective subnets.

    My terraform configuration:

    provider "azurerm" {
      features {}
    }
    
    data "azurerm_resource_group" "existing" {
      name = "vinay-rg"
    }
    
    
    resource "azurerm_app_service_plan" "aspB" {
      name                = "ASP-vinayrg-bef9-B"
      location            = data.azurerm_resource_group.existing.location
      resource_group_name = data.azurerm_resource_group.existing.name
    
      sku {
        tier = "Standard"
        size = "S1"
      }
    }
    
    resource "azurerm_app_service" "testvkappB" {
      name                = "testvkappB"
      location            = data.azurerm_resource_group.existing.location
      resource_group_name = data.azurerm_resource_group.existing.name
      app_service_plan_id = azurerm_app_service_plan.aspB.id
    
       identity {
        type = "SystemAssigned"
      }
    
      site_config {
        vnet_route_all_enabled = true
      }
    }
    
    resource "azurerm_virtual_network" "vnetB" {
      name                = "vnetB"
      address_space       = ["10.2.0.0/16"]
      location            = data.azurerm_resource_group.existing.location
      resource_group_name = data.azurerm_resource_group.existing.name
    }
    
    resource "azurerm_subnet" "subnetB" {
      name                 = "subnetB"
      resource_group_name  = data.azurerm_resource_group.existing.name
      virtual_network_name = azurerm_virtual_network.vnetB.name
      address_prefixes     = ["10.2.1.0/24"]
    
      delegation {
        name = "appServiceDelegation"
    
        service_delegation {
            name    = "Microsoft.Web/serverFarms"
            actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
        }
      }  
    
      service_endpoints = ["Microsoft.Web"]
    }
    
    resource "azurerm_virtual_network_peering" "testvnet_to_vnetB" {
      name                      = "testvnet-to-vnetB-peering"
      resource_group_name       = data.azurerm_resource_group.existing.name
      virtual_network_name      = "testvnet"
      remote_virtual_network_id = azurerm_virtual_network.vnetB.id
      allow_virtual_network_access = true
      allow_forwarded_traffic      = true
    }
    
    resource "azurerm_virtual_network_peering" "vnetB_to_testvnet" {
      name                      = "vnetB-to-testvnet-peering"
      resource_group_name       = data.azurerm_resource_group.existing.name
      virtual_network_name      = azurerm_virtual_network.vnetB.name
      remote_virtual_network_id = "/subscriptions/subscrption_ID/resourceGroups/vinay-rg/providers/Microsoft.Network/virtualNetworks/testvnet"
      allow_virtual_network_access = true
      allow_forwarded_traffic      = true
    }
    

    Deployment Succeeded:

    enter image description here

    enter image description here

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search