This post is focused on a scenario where you are creating an Access Restriction rule in an Azure App Service to allow client requests from a subnet in a Virtual Network (VNET) and you get this error:<\/p>\n
\nFailed to add new rule: IpSecurityRestriction.VnetSubnetResourceId is invalid. For request GET https:\/\/management.azure.com\/subscriptions\/xxxxxx\/resourceGroups\/xxxxxx\/providers\/Microsoft.Network\/virtualNetworks\/xxxxxx\/taggedTrafficConsumers?api-version=2018-01-01<\/a> with clientRequestId xxxxxx and correlationRequestId xxxxxx, received a response with status code Forbidden, error code AuthorizationFailed, and response content: {“error”:{“code”:”AuthorizationFailed”,”message”:”The client ‘xxxxxx’ with object id ‘xxxxxx’ does not have authorization to perform action ‘Microsoft.Network\/virtualNetworks\/taggedTrafficConsumers\/read’ over scope ‘\/subscriptions\/xxxxxx\/resourceGroups\/xxxxxx\/providers\/Microsoft.Network\/virtualNetworks\/xxxxxx’ or the scope is invalid. If access was recently granted, please refresh your credentials.”}}.<\/div>\n<\/blockquote>\nThe Scenario<\/h2>\n
The customer wanted to deploy Standard Tier Azure App Services with some level of security in a hub and spoke architecture. The hub is in Subscription A. There a virtual network with an Azure Application Gateway (WAG)\/Web Application Firewall(WAF) is deployed into a VNET\/subnet. The WAF subnet has the Microsoft.Web Service Endpoint enabled, allowing the WAF to reverse proxy web requests via the direct path of the Service Endpoint to the App Service(s).<\/p>\n
The App Service Plan and App Services are in Subscription B. The goal is to only allow traffic to the App Services via the WAF. All the necessary DNS\/SSL stuff was done and the WAF was configured to route traffic. Now, the customer wanted to prevent requests from coming in directly to the App Service – an Access Restriction rule would be created with the Virtual Network type. However, when we tried to create that rule, it failed with the above security error.<\/p>\n
Troubleshooting<\/h2>\n
At first, we thought there was an error with Azure Privileged Identity Management (PIM), but we soon ruled that out. The customer had Contributor rights and I had Owner rights over both subscriptions and we verified access. While doing a Teams screen share the customer read an article about Azure Key Vault with a similar error that indicated an issue with Resource Providers. We both had the same idea at the same time.<\/p>\n
Solution<\/h2>\n
In the WAF subscription, enable the Microsoft.Web resource provider. This will allow the App Service to “configure” the integration with the subnet from its own subscription and solves the security issue.<\/p>\n","protected":false},"excerpt":{"rendered":"
This post is focused on a scenario where you are creating an Access Restriction rule in an Azure App Service to allow client requests from a subnet in a Virtual Network (VNET) and you get this error: Failed to add new rule: IpSecurityRestriction.VnetSubnetResourceId is invalid. For request GET https:\/\/management.azure.com\/subscriptions\/xxxxxx\/resourceGroups\/xxxxxx\/providers\/Microsoft.Network\/virtualNetworks\/xxxxxx\/taggedTrafficConsumers?api-version=2018-01-01<\/a> with clientRequestId xxxxxx and correlationRequestId xxxxxx, … Continue reading “Failed to add new rule: IpSecurityRestriction.VnetSubnetResourceId is invalid.”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":18386,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[414,265,314,170,403,190,318,317,315],"class_list":["post-21696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-access-restrictions","tag-app-services","tag-application-gateway","tag-azure","tag-network","tag-security","tag-waf","tag-wag","tag-web-application-firewall"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2015\/06\/12809137181.png","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21696"}],"version-history":[{"count":6,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21696\/revisions"}],"predecessor-version":[{"id":21702,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21696\/revisions\/21702"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/18386"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}