What is the minimum access needed in Azure Portal > Networking > Access Restrictions > Advanced Tool Site to allow the Portal access to manage WebJobs
What is the minimum access needed in Azure Portal > Networking > Access Restrictions > Advanced Tool Site to allow the Azure Portal access to manage WebJobs?
I'm getting an error "The scm site for your app is blocked. In order to use webjobs you must allow traffic to the advanced tool site." unless I allow all traffic which has security implications (I want to deny all traffic except required)
The error message when you don't allow all access has a link https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#manage-access-restriction-rules-in-the-portal to a generic page on access restrictions but nothing specific to this issue.
I want to know specifically how to allow webjobs to be managed (view logs & run) in the Azure Portal without allowing all traffic access to the SCM site (I have tried "Allow All" and it works (as expected)). Is there a service tag? I tried Deny All except IPv4 addresses 0.0.0.0/0 and IPv6 addresses ::/0 but that didn't work. Also tried allowing the service tag AzurePortal and AzureCloud ... none of those worked. The app service is on a vnet so tried granting access to that subnet (didn't work). None of the above worked so I'm not sure what traffic origin the portal is when it tries to access the WebJobs to manage them (start/stop them, view logs etc).
My WebJobs still run ok, I just can't manage them via the portal unless I allow all access to the advanced tool site.
Look forward to some insights to what I thought would be a common issue.
Is it just not standard to try and restrict access to the SCM site and potentially any configuration secrets? (yes, should be using Azure Key Vault etc but I'm not currently).
Microsoft have updated the Azure portal functionality since I posted my question to fix their mistake. In WebJobs if you have access restrictions specified for the Advanced Tool Site (SCM) the WebJob page will now have a warning of:
"Traffic to the SCM on your app is blocked. To ensure the success of web job commands, you must either set the default unmatched rule to 'Allow' or add an 'Allow' rule for your IP address in the Advanced Tool Site section of Access restrictions"
instead of:
"The scm site for your app is blocked. In order to use webjobs you must allow traffic to the advanced tool site."
The Logs/Run/Delete/Add buttons were previously being disabled by the change a month ago but now they are all enabled. If you haven't added an IP access restriction to the IP address your access the browser from then the Run and Delete buttons work fine but Logs doesn't (because it redirects to the SCM site, which since you've blocked access to won't load). "Add" looks like it has worked but never completes in the background.
So it's good to see Microsoft have addressed the mistake - I still think the part about "To ensure the success of web job commands" is misleading and may result in users thinking they need to allow access for the WebJobs to run - the message I think is just referring to the Azure portal invoking commands to the WebJobs, specifically Log and Add.
So to be clear, in answer to "What is the minimum access needed in Networking > Access Restrictions > Advanced Tool Site to allow the Azure Portal access to manage WebJobs?" - the answer is now you don't need to allow any access to the Advanced Tool Site unless you want to view the Logs or Add a new WebJob via the portal - if you want to do those things via the portal the minimum access you'll need is to add an "Allow" rule for your IP address and deny all other traffic. You can check your IP address via a site like: https://whatismyipaddress.com/