Securing app services across multiple AAD tenants
Hi All I'm beating my head against a wall so wanted to see if anyone can please help me out, or at least point me in the correct direction. We have a large Azure infrastructure across multiple AAD tenants, with a number of app services that we're trying to secure at the network level using app service restrictions so access is only allowed from clients within our infrastructure (across the 2 tenants), or using controlled access via our APIM and Front Door edges. The clients are a mix of other app services, VMs, VM scale sets (service fabric), and APIM access routes. All these now have Subnets attached for outbound routing. For securing within the same tenant everything works beautifully, using subnet access rules to grant access to the service endpoints from the client subnets. Where we are having problems is the cross-tenant allow rules. All the subnets have NATs attached with IPv4 public IPs, which I had assumed would mean that we'd be able to use the public IP to grant the access on restrictions in the other tenant. However what we've realised when we tested was that the presence of the Microsoft.Web service endpoint means that the NAT is being bypassed, and the IP presented to the target app service is not the IPv4 address we were expecting but an IPv6 address that is apparently used by the service endpoint, and I'm presuming not reliably static even if we can figure it out. I presume we're not the first people ever to try and achieve the goal of cross-tenant app restrictions so thought I would ask how this is best done? The one suggest I was given was to remove the service endpoints but that of course stops us being able to use subnet app restriction rules, and I failed to get anything to work with any of the IPs associated clients. Thanks in advance for any help you can offer Mark Middlemist