Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
Describe the bug
Following the documentation to enable Private Endpoints on SWAs we noticed that after enabling the private endpoints, as expected, the prod environment will return a 403 when trying to access from machines outside of the Private Endpoint's network and you will be able to see the content when the machine that you are using is in the same VNET as the Private Endpoint, however if we create a staging branch/environment, this one is not returning a 403 as Prod when trying to access from any machines outside of the Private Endpoint's VNET, which seems to be a contradiction with this statement in the documentation.
Additionally, if you try to access that staging url from a VM that it is inside the same network as the Private Endpoint, this one will be rejected and will get a 403, so it seems like the staging branches are behaving the opposite way we should expect based on the documentation.
Through a support ticket, we got confirmation from the Static Web App team that this is indeed an unexpected behavior and that they are already working on a fix for this, however we were unlucky getting an ETA. Opening this GitHub issue in case we could get an update on this problem and any expected date for the fix to be released, as it would help any user that faces with this same concern.
To Reproduce
Steps to reproduce the behavior:
Create a SWA using Standard tier.
Enable Private Endpoints to this SWA.
After successfully enabling Private Endpoints, if you try to open the SWA url from a machine outside the PE network you should face a 403: Forbidden screen.
Next, in order to see the content of the SWA, I linked an Azure VM's vnet inside the PE's Private DNS zone configuration.
Now that you are able to see Prod, create a staging environment for the SWA (used GitHub actions to deploy in this case)
After successfully create the pull request, create and deploy the code in that staging branch, you will notice that if you try to access the staging url from the VM, you will face a 403 and if you try to access from any other network, you will be able to see the content, when this should not be the case.
Expected behavior
The expected would be that both staging, and production environment will be accessible only if reaching through the PE's network/private ip.
Describe the bug Following the documentation to enable Private Endpoints on SWAs we noticed that after enabling the private endpoints, as expected, the prod environment will return a 403 when trying to access from machines outside of the Private Endpoint's network and you will be able to see the content when the machine that you are using is in the same VNET as the Private Endpoint, however if we create a staging branch/environment, this one is not returning a 403 as Prod when trying to access from any machines outside of the Private Endpoint's VNET, which seems to be a contradiction with this statement in the documentation.
https://learn.microsoft.com/en-us/azure/static-web-apps/private-endpoint "This behavior applies to both the production environment as well as any staging environments."
Additionally, if you try to access that staging url from a VM that it is inside the same network as the Private Endpoint, this one will be rejected and will get a 403, so it seems like the staging branches are behaving the opposite way we should expect based on the documentation.
Through a support ticket, we got confirmation from the Static Web App team that this is indeed an unexpected behavior and that they are already working on a fix for this, however we were unlucky getting an ETA. Opening this GitHub issue in case we could get an update on this problem and any expected date for the fix to be released, as it would help any user that faces with this same concern.
To Reproduce Steps to reproduce the behavior:
Expected behavior The expected would be that both staging, and production environment will be accessible only if reaching through the PE's network/private ip.