Azure-cli: webapp: Apply access restriction to resources in different resource groups

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI @antcp

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @ ahmedelnably, @fabiocav

if your app is a function app can you try using the function app equivalent? https://docs.microsoft.com/en-us/cli/azure/functionapp/config/access-restriction?view=azure-cli-latest

Does this work incases where the FunctionApp & the VNET are in the same RG?
Also the access-restriction command takes a RG as an input what happens if you pass the RG of the VNET as the value for this?

az functionapp config access-restriction add --priority 100 --action Allow --name "dev-deploy-fadev" --rule-name "APIm" --subnet "APIm" --vnet-name "dev-deploy-vnet" --resource-group "dev-deploy-rg"

This command group is in preview. It may be changed/removed in a future release.

ResourceNotFound - The Resource 'Microsoft.Web/sites/dev-deploy-fadev' under resource group 'dev-deploy-rg' was not found.

az functionapp config access-restriction add --priority 100 --action Allow --name "dev-deploy-fadev" --rule-name "APIm" --subnet "APIm" --vnet-name "dev-deploy-vnet" --resource-group "dev-deploy-rg-dev"

This command group is in preview. It may be changed/removed in a future release.

The Resource 'Microsoft.Network/virtualNetworks/dev-deploy-vnet' under resource group 'dev-deploy-rg-dev' was not found.

I've created the same issue with Az PowerShell here. Don't know if that might help.

Removing the Service Attention label as @panchagnula is responding to this issue.

@fabiocav normally if the commands are not owned by Azure CLI team, we will mark the Service Attention label.

Hello,
For the record, I get the exact same issue when using --scm-site true. It also works when doing it on the portal and it also works when doing it on non-scm site using terraform.

@panchagnula Any idea of the cause and ETA ?

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @ahmedelnably, @fabiocav

The issue is originating from the _validate_subnet call https://github.com/Azure/azure-cli/blob/46a142f2a6987ced98d5682721eec71626a9ea2b/src/azure-cli/azure/cli/command_modules/appservice/access_restrictions.py#L128
will look at getting a fix for this.

move to S167

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI @antcp

@kotashudhakarreddy can you take a look at this - since you already fixed this in PowerShell

Looking in to it.

move to S169

Might be a little late, but try:
For the subnet param - instead of just putting the name, put the full resource ID of the subnet (including the subscription, vnet, etc parts of the path).
/subscriptions/[subsguid]/resourceGroups/[rgwithvnetinit]/providers/Microsoft.Network/virtualNetworks/[vnetname]/subnets/[subnetname]

We have had success doing it that way for a number of resource types.

@panchagnula I talked to @madsd and he was going to help take a first pass with all the access restrictions related items.

@panchagnula I talked to @madsd and he was going to help take a first pass with all the access restrictions related items.

@btardif can you have @madsd follow the instructions on our OneNote so we can start assigning these issues to him directly & so @Kotasudhakarreddy can assign these to him during triage. Thanks!

The command was designed with the --subnet parameter accepting both a name combined with a vnet-name or a full resource-id for the subnet in the same --subnet parameter. However, we have had a few issues created on this not being clear, so we will improve help text and examples as well as adding a --vnet-resource-group to explicitly be able to specify this.