Apply access restriction to resources in different subscriptions

[jomarulfarsson]

This is autogenerated. Please review and update as needed.

Describe the bug

When applying access restrictions to web app from a subnet in a different subscription you receive error when using azure-cli. Works correctly when using arm template deployment or portal.

Consider the following setup:
WebApp Subscription: subscription-app
WebApp Resourcegroup: resourcegroup-app
WebApp Name: app

Vnet Subscription: subscription-vnet
Vnet Resourcegroup: resourcegroup-vnet
Vnet Name: vnet
Subnet Name: subnet

Command Name
az webapp config access-restriction add -g "resourcegroup-app" -n "app" --rule-name "allow" --action Allow --subnet "/subscriptions/{subscription-vnet}/resourceGroups/{resourcegroup-vnet}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}" --priority 100 --scm-site false

Errors:

Using least-access:
(AuthorizationFailed) The client 'fdxxx' with object id 'fdxxx' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/{**subscription-app**}/resourceGroups/{resourcegroup-vnet}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}' or the scope is invalid. If access was recently granted, please refresh your credentials.

Using full-access to both subscriptions:
(ResourceGroupNotFound) Resource group 'resourcegroup-vnet' could not be found.

To Reproduce:

In two different subscriptions create a web app and a vnet. Add access restriction on the web app using the following command:

• az login
• az account set --subscription subscription-app
• az webapp config access-restriction add -g "resourcegroup-app" -n "app" --rule-name "allow" --action Allow --subnet "/subscriptions/{subscription-vnet}/resourceGroups/{resourcegroup-vnet}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}" --priority 100 --scm-site false

Expected Behavior

An access restriction is added to the web app that has a reference to the subnet in the other subscription.

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.19.1

Additional Context

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

Issue Details

---

This is autogenerated. Please review and update as needed.

Describe the bug

When applying access restrictions to web app from a subnet in a different subscription you receive error when using azure-cli. Works correctly when using arm template deployment or portal.

Consider the following setup:
WebApp Subscription: subscription-app
WebApp Resourcegroup: resourcegroup-app
WebApp Name: app

Vnet Subscription: subscription-vnet
Vnet Resourcegroup: resourcegroup-vnet
Vnet Name: vnet
Subnet Name: subnet

Command Name
az webapp config access-restriction add -g "resourcegroup-app" -n "app" --rule-name "allow" --action Allow --subnet "/subscriptions/{subscription-vnet}/resourceGroups/{resourcegroup-vnet}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}" --priority 100 --scm-site false

Errors:

Using least-access:
(AuthorizationFailed) The client 'fdxxx' with object id 'fdxxx' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/{**subscription-app**}/resourceGroups/{resourcegroup-vnet}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}' or the scope is invalid. If access was recently granted, please refresh your credentials.

Using full-access to both subscriptions:
(ResourceGroupNotFound) Resource group 'resourcegroup-vnet' could not be found.

To Reproduce:

In two different subscriptions create a web app and a vnet. Add access restriction on the web app using the following command:

• az login
• az account set --subscription subscription-app
• az webapp config access-restriction add -g "resourcegroup-app" -n "app" --rule-name "allow" --action Allow --subnet "/subscriptions/{subscription-vnet}/resourceGroups/{resourcegroup-vnet}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}" --priority 100 --scm-site false

Expected Behavior

An access restriction is added to the web app that has a reference to the subnet in the other subscription.

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.19.1

Additional Context

Author:	jomarulfarsson
Assignees:	-
Labels:	Service Attention, Web Apps
Milestone:	-

[yonzhan]

WebApp

[calvinsID]

Similar request to #17090

[madsd]

This was actually because we were not able to check if the service endpoint is set in a subnet across subscriptions. You can work around it with -i (or --ignore-missing-endpoint). In the upcoming release on 6. May (2.23) a friendly error message explaining this was added.
Fixed in #17687

[seligj95]

closing because service team confirmed resolution. please reopen if still any issues.