Azure
Vnet integration
The Azure Dev CLI currently does not support deploying code to an Azure Web App which is configured with a private endpoint. By default, adding a private endpoint to a Web App blocks requests from the public Internet.
For Azure Web App deployments, as in the case of the todo-nodejs-mongo template, the Dev CLI attempts to call the *.azurewebsites.net/api/zipdeploy endpoint to deploy code. Since the Web App is configured with a private endpoint, the Dev CLI is denied access.
Deployments via git or GitHub Actions are also impacted, as they also rely on access to the *.azurewebsites.net endpoint (including the SCM site).
If a private endpoint is enabled for a Web App, the deployment agent (e.g., Azure DevOps self-hosted agent) needs to be inside the related virtual network.
An alternative deployment approach would be creating a ZIP package and loading the package from an external URL such as Azure Blob Storage (using managed identity or SAS).
Furthermore, samples such as todo-nodejs-mongo present an additional challenge. For example, if the API is configured with a private endpoint, as mentioned earlier, requests from the public Internet will fail. In this sample, the web app makes a client/browser-side request to the API endpoint. If the client is outside of the virtual network, the request is blocked by the private endpoint. Launching the client from inside the virtual network, and making the request, succeeds in invoking the API.
graph LR
subgraph Virtual Network
subgraph App Service - Web API
scm[todoapi.scm.azurewebsites.net]
api[todoapi.azurewebsites.net]
end
subgraph VM
vm[App Service - Web App] --> |success| api
end
end
subgraph Zip and Run from Package
storageAccount[Storage Account]
api --> storageAccount
end
subgraph deployment
zip[create zip] --> storageAccount
end
azd["Azure Dev CLI - deploy"] --> |Access Denied| scm
app[App Service - Web App] -->|Access Denied| api
