Configure access restriction of VNET from different subscription

[vipulkelkar]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
Currently, the web app access restriction commands seem to be working only within a subscription. For example, a VNET from Subscription-B cannot be added to access restriction rule on a Web/Azure Function App in Subscription-A.
This is currently possible through the Azure Portal.

To Reproduce
Following commands with cross subscription values to add access restriction

az webapp config access-restriction add -g "<SubscriptionA-RG>" -n "<SubscriptionA-AppName>" --rule-name "<Rule Name>" --action Allow --vnet-name "<SubscriptionB-VnetName>" --subnet "<SubscriptionB-SubnetName>" --priority 100 --vnet-resource-group "<SubscriptionB-VNetRG>" --subscription "<SubscriptionB-Name>"

OR

az webapp config access-restriction add -g "<SubscriptionA-RG>" -n "<SubscriptionA-AppName>" --rule-name "<Rule Name>" --action Allow --priority 800 --subnet '/subscriptions/<SubscriptionB-ID>/resourceGroups/<SubscriptionA-RG-Name>/providers/Microsoft.Network/virtualNetworks/<SubscriptionB-VnetName>/subnets/<SubscriptionB-SubnetName>'

Expected behavior
Is the command expected to work only within one subscription ? Or am I missing something in terms of how the command must be used across multiple subscription resources

Environment summary
azure-cli 2.19.0 *

Additional context

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

Issue Details

---

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
Currently, the web app access restriction commands seem to be working only within a subscription. For example, a VNET from Subscription-B cannot be added to access restriction rule on a Web/Azure Function App in Subscription-A.
This is currently possible through the Azure Portal.

To Reproduce
Following commands with cross subscription values to add access restriction

az webapp config access-restriction add -g "<SubscriptionA-RG>" -n "<SubscriptionA-AppName>" --rule-name "<Rule Name>" --action Allow --vnet-name "<SubscriptionB-VnetName>" --subnet "<SubscriptionB-SubnetName>" --priority 100 --vnet-resource-group "<SubscriptionB-VNetRG>" --subscription "<SubscriptionB-Name>"

OR

az webapp config access-restriction add -g "<SubscriptionA-RG>" -n "<SubscriptionA-AppName>" --rule-name "<Rule Name>" --action Allow --priority 800 --subnet '/subscriptions/<SubscriptionB-ID>/resourceGroups/<SubscriptionA-RG-Name>/providers/Microsoft.Network/virtualNetworks/<SubscriptionB-VnetName>/subnets/<SubscriptionB-SubnetName>'

Expected behavior
Is the command expected to work only within one subscription ? Or am I missing something in terms of how the command must be used across multiple subscription resources

Environment summary
azure-cli 2.19.0 *

Additional context

Author:	vipulkelkar
Assignees:	-
Labels:	Service Attention, Web Apps, needs-triage, question
Milestone:	-

[yungezz]

route to appropriate team

[calvinsID]

Similar request to #17030

[madsd]

This was actually because we were not able to check if the service endpoint is set in a subnet across subscriptions. You can work around it with -i (or --ignore-missing-endpoint). In the upcoming release on 6. May (2.23) a friendly error message explaining this was added.
Fixed in #17687

[vipulkelkar]

thanks for the update

[seligj95]

closing because of confirmation from service team. please reopen if there are still any issues.