Azure-docs: How to enable azure dev ops when private link is on
We created a private link on one of our applications. it works. From a jump box on the same vnet we can access the site. However we are having problems getting Azure Dev Ops to communicate with it. Could a section be added here with any practices known for this case?
We are getting 403 errors when trying to deploy both from the Microsoft build agents and from an on-prem build agent within an ASE in a peered vnet to the private link endpoint.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 2174e399-063b-129a-eef6-2c49a67fd4e2
- Version Independent ID: 6cb95aa6-fb50-b966-4c9a-01e0718d0bcb
- Content: Connect privately to a Web App using Azure Private Endpoint
- Content Source: articles/app-service/networking/private-endpoint.md
- Service: app-service
- GitHub Login: @Ericgre
- Microsoft Alias: ericg
mocleiri
All 9 comments
@mocleiri, Thanks for the question! We are taking a look into this and will get back to you soon.
AjayKumar-MSFT
on 30 Apr 2020
Hello, thank you for the question. If devops uses the kudu rest api, in the case of private endpoint, the kudu is behind the PE too. The DNS for your on prem agent must point webappname.scm.azurewebsites.net to the private ip of the Private endpoint.
Ericgre
on 5 May 2020
@mocleiri, Just checking in to see if you have had a chance to see the previous response from Eric, and if the solution helped remedy the problem. Kindly confirm that Kudu URL points to the private IP. In case the issue still persists, kindly let us know we will be more than happy to assist you further.
AjayKumar-MSFT
on 6 May 2020
This is also affect me...I think that Ericgre answer is not applicable for the question because mocleiri never write about onprem agent...or you mean that if we use private endpoint then we must implement an onprem agent?
cherici-simone
on 7 May 2020
hello, when I said on prem, is not exact, I had to say self-hosted agent. in devops you have 2 agents, the microsoft hosted and the self hosted. when you deploy a private endpoint to your web app, the public url for scm is not available, you need to point to the private ip. devops is able to fetch the webapp name withoutusing the scm url but calling ARM. but after for the deployement if you use the scm kudu api, your devops agent must point to the private ip, meaning your agent is in your vnet. microsoft hosted agent are not in your vnet so it cannot reach the private scm. For the case of mocleiri he said that he have a self hosted agent within ans ASE. if you don't want to use self hosted agent, you must use another way to deploy your web app, like continuous integration.
Ericgre
on 7 May 2020
We will now proceed to close this thread. If there are further questions regarding this matter, please tag us in your reply. We will gladly continue the discussion.
AjayKumar-MSFT
on 10 May 2020
HI, we even experiencing the same issue. We are using web app with Private endpoint and my build agents (we are using VMSS) are in the different Vnet. Now we have raised a Private Endpoint from the build agent's subnet to the web app. And added two A-records for web app and scm in the private DNS zone privatelink.azurewebsites.net with the PE ip and linked both Vnets to dns zone. we are still unable to deploy our application to web app. we are getting 403 not found error.
are we missing anything here???
surya2155
on 1 Oct 2020
Hello, did you check that the DNS resolution in your deploy agent host is correct for the public name of your scm ? myapp.scm.azurewebsites.net must return the private endpoint address that you set in your private zone.
Ericgre
on 1 Oct 2020
@Ericgre yes, by nslookup both webapp and scm are resolving to the same PE IP address.
surya2155
on 1 Oct 2020
Related issues
spottedmahn
·
3Comments
Favna
·
3Comments
DeepPuddles
·
3Comments
spottedmahn
·
3Comments
jebeld17
·
3Comments