Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
79 questions
AWS Rejecting Traffic from Entra GSA?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 56.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Chris Conner
0
Reputation points
I am using Entra Global Secure Access in a production environment for web filtering. I'm having an odd issue with a couple of websites. With my GSA client enabled, browsing to the sites results in a 403 error. When I look at the GSA traffic logs on entra.microsoft.com, no traffic is being blocked. I engaged Microsoft TAC. They confirmed the traffic is, in fact, leaving their space, but no response is received. The running theory is that the endpoint, which is in AWS' space is rejecting traffic coming from Microsoft. Unfortunately, I can neither confirm nor deny. I've tried to reach the webmaster for one of the sites, but they have not replied.
With just a couple of exceptions, all other web traffic is flowing as expected.
Has anyone else experienced anything similar with Entra GSA? If so, would you be willing to share your experience and your resolution, if you found one.
Thanks in advance for your help.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sakshi Devkante 500 Reputation points Microsoft Vendor2025-01-21T01:58:30.1+00:00 Hello @Chris Conner
Thank you for posting your query on Microsoft Q&A.
Based on what you've said, this might have to do with how the endpoint which is located on AWS is analyzing or screening traffic coming from Microsoft's cloud infrastructure.
To check if the problem still exists, try to access the website directly from the same endpoint, avoiding the Entra GSA client if at all feasible. This can assist in determining whether the issue is with the AWS server or GSA.
To test if it changes the result, you may also think about simulating the traffic from a different source using a proxy or VPN.
It's possible that Microsoft GSA is using specific IP addresses or subnets to route data. Verify if AWS is limiting specific IP ranges (like Microsoft's cloud service IP ranges). You can locate the official paperwork for Microsoft's IP ranges and compare them to any AWS blacklisting.
Directly contacting the hosting company (in this case, AWS) can be helpful as you've attempted to contact the webmaster without success. They are able to conduct a more thorough examination and offer information about any traffic that is being denied or blocked on their end. Additionally, AWS provides services like Guard Duty and AWS WAF, which may be rejecting traffic based on patterns that unintentionally resemble Microsoft's traffic.
Best regards,
Sakshi Devkante
-
Sakshi Devkante 500 Reputation points Microsoft Vendor
2025-01-22T02:08:32.3366667+00:00 Hello @Chris Conner
I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.
Best regards,
Sakshi Devkante
-
Sakshi Devkante 500 Reputation points Microsoft Vendor
2025-01-23T02:53:25.5966667+00:00 Hello @Chris Conner
I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.
Best regards,
Sakshi Devkante
Sign in to comment
Sign in to answer