I'm experiencing an intermittent 403 Forbidden error on my Azure Function App, and I'm hoping someone can help me troubleshoot this issue. The Function App usually works fine , but occasionally it becomes inaccessible for a specific browser session. When this happens, I get a 403 Forbidden error (Azure blue screen) in one browser session, while at the same time, the same request works fine from Incognito mode or another browser (check out the screenshot ) Clearing cookies in the original browser session fixes the issue. The issue does not seem related to the function's execution, as the API is still accessible from other sessions. My setup: Azure Function App running on a Linux Plan (Premium v3, P0V3) . Inbound traffic configuration: Public network access: Disabled Private endpoints: 1 private endpoint Inbound addresses: 10.5.11.6 Optional inbound services: Azure Front Door (enabled) Outbound traffic configuration: Virtual network integration: Enabled (VNET-PIA-PROD/SNET-PIA-PROD-FUNCTIONS) Hybrid connections: Not configured Outbound DNS: Inherited (from virtual network) Outbound addresses: A set of Azure IPs (listed in screenshot) Integration subnet configuration: NAT gateway: Not configured Network security group: Configured (NSG-PIA-BASE ) User-defined route: Configured (ROUTE-PIA-BASE) What could be causing session-specific 403 Forbidden errors when the same API works in Incognito mode or another browser at the same time? Would really appreciate any insights! Thanks in advance people 🚀

Hello @Oriol Trujillo Based on the information you provided, it appears that the issue is related actually to the browser session and not the function's execution. Clearing cookies in the original browser session fixes the issue, and the API is still accessible from other sessions. One possible cause of this issue could be related to the browser caching. When you cancel a pipeline run, pipeline monitoring often still shows the progress status. This happens because of a browser cache issue. You also might not have the correct monitoring filters. Refreshing the browser and applying the correct monitoring filters might help resolve the issue. Another possible cause could be related to the network security group (NSG) configuration. The NSG might be blocking traffic from the original browser session, but allowing traffic from other sessions. You might want to review the NSG rules to ensure that they are not blocking traffic from the original browser session. Lastly, it could be related to the Azure Front Door configuration. You might want to review the Front Door configuration to ensure that it is not blocking traffic from the original browser session. I hope this helps

Intermittent 403 Forbidden Error on Azure Function App (Linux Plan, Private Endpoint, Premium V3)

Oriol Trujillo 0

I'm experiencing an intermittent 403 Forbidden error on my Azure Function App, and I'm hoping someone can help me troubleshoot this issue.

The Function App usually works fine, but occasionally it becomes inaccessible for a specific browser session.
When this happens, I get a 403 Forbidden error (Azure blue screen) in one browser session, while at the same time, the same request works fine from Incognito mode or another browser (check out the screenshot )

Clearing cookies in the original browser session fixes the issue.

The issue does not seem related to the function's execution, as the API is still accessible from other sessions.

My setup:

Azure Function App running on a Linux Plan (Premium v3, P0V3).
Inbound traffic configuration:
- Public network access: Disabled
- Private endpoints: 1 private endpoint
- Inbound addresses: 10.5.11.6
- Optional inbound services: Azure Front Door (enabled)
Outbound traffic configuration:
- Virtual network integration: Enabled (VNET-PIA-PROD/SNET-PIA-PROD-FUNCTIONS)
- Hybrid connections: Not configured
- Outbound DNS: Inherited (from virtual network)
- Outbound addresses: A set of Azure IPs (listed in screenshot)
Integration subnet configuration:
- NAT gateway: Not configured
- Network security group: Configured (NSG-PIA-BASE )
- User-defined route: Configured (ROUTE-PIA-BASE)

Imagen cargada

What could be causing session-specific 403 Forbidden errors when the same API works in Incognito mode or another browser at the same time?

Would really appreciate any insights! Thanks in advance people 🚀

Khadeer Ali 3,430 Reputation points Microsoft Vendor

2025-01-30T16:20:55.16+00:00

@Oriol Trujillo ,

Welcome to Microsoft Q&A Platform!

Thanks for reaching out.

The intermittent 403 Forbidden error on your Azure Function App, specifically tied to browser sessions and resolved by clearing cookies, strongly suggests an authentication or authorization issue related to session management. Even though the API works in other contexts, the problem lies in how the browser is presenting credentials or tokens.

Your Function App likely uses some form of authentication (e.g., Azure AD, API Keys). The browser caches these tokens. If a cached token expires or becomes invalid, the request fails with a 403. Incognito mode or a different browser starts with a fresh session, acquiring a new, valid token. This is the most likely cause.
Which browser are you using?

Are you getting the error on refreshing the page?

Are you seeing the issue in other browsers as well?
Oriol Trujillo 0 Reputation points

2025-01-31T10:16:13.49+00:00
Hi @Khadeer Ali ,

Thanks a lot for your early reply! So glad to find a helping hand for this.

Yes, i'm still getting the error on refreshing the page

It happened to me in all the 3 browser that I tried: Chrome, Firefox & Edge.

And that's the thing, for some endpoints (like the one I'm using to report this error) I don't use any type of authentication per se, it's like auth / tokens free but the access is restricted because only inbound traffic from a Private Endpoint of the specified Virtual Network is allowed, and can only be accessed from a VPN (with its firewall and so on).

It's like the whole webapp (front, backend & other services) runs on an "intranet" only accessible from that VPN.

That's why I can't figure out why the access i being not permitted from certain browser sessions intermittenly.
Khadeer Ali 3,430 Reputation points Microsoft Vendor

2025-01-31T14:57:52.71+00:00

@Oriol Trujillo ,

Thanks for the details.

You're getting intermittent 403 Forbidden errors on your Azure Function App, even though it doesn't require authentication and is restricted by Private Endpoint/VNET. The fact that it works sometimes, including in Incognito, tells us it's probably not a simple DNS issue. It's more likely a transient network problem or something related to how your browser is handling connections.

While a simple network problem would likely affect Incognito too, more subtle network issues (router problems, firewall rules, or VPN-specific problems) could explain why Incognito sometimes works. It's still worthwhile to try restarting your network devices (router, computer, VPN) and checking for any network congestion. Even if Incognito works sometimes, a network problem is still a very plausible explanation for intermittent connectivity issues.
Khadeer Ali 3,430 Reputation points Microsoft Vendor

2025-02-04T16:07:12.6433333+00:00

@Oriol Trujillo ,

Just following up again to see if you were able to resolve the issue or if there's anything else I can assist you with. Let me know if you need further help
Oriol Trujillo 0 Reputation points

2025-02-04T18:04:58.4066667+00:00

@Khadeer Ali thanks for the follow up. None of the above worked (it takes some hours for me to test it since I can't really reproduce the error, instead I just wait for it to show up, and it did). Anyways, if it was transient network issue I wouldn't be able to reach out the server from other browsers simultaneously. I think, because of the lack of documentation of this issue, that it has to be a coupling between the fact that I connecting through a certain VPN and the Azure Function. But it doesn't makes sense that Azure denies the requests due to long or repetitive requests from the same IP because changing the cookies or the browsers fixes the problem.

To be honest I'm quite lost.

1 answer

Pinaki Ghatak 5,575 Reputation points Microsoft Employee

2025-02-07T09:59:10.0033333+00:00

Hello @Oriol Trujillo

Based on the information you provided, it appears that the issue is related actually to the browser session and not the function's execution. Clearing cookies in the original browser session fixes the issue, and the API is still accessible from other sessions.

One possible cause of this issue could be related to the browser caching. When you cancel a pipeline run, pipeline monitoring often still shows the progress status. This happens because of a browser cache issue.

You also might not have the correct monitoring filters. Refreshing the browser and applying the correct monitoring filters might help resolve the issue.

Another possible cause could be related to the network security group (NSG) configuration. The NSG might be blocking traffic from the original browser session, but allowing traffic from other sessions.

You might want to review the NSG rules to ensure that they are not blocking traffic from the original browser session.

Lastly, it could be related to the Azure Front Door configuration. You might want to review the Front Door configuration to ensure that it is not blocking traffic from the original browser session.

I hope this helps
Please sign in to rate this answer.
Oriol Trujillo 0 Reputation points

2025-02-13T12:17:15.24+00:00

Thanks @Pinaki Ghatak and @Khadeer Ali ,

The error occurred again to my client and send this screenshot were the status code is "403 IP Forbidden".

However, it does not seem to be an IP blocking per se, since Incognito mode, clearing the cookies or opening another browser fixes the issue and none of those actually change the IP.

The Azure Function Network configuration:

Inbound traffic:

Public internet traffic is disabled and all the inbound traffic is allowed through a Private Endpoint.

Outbound traffic:

The outbound Virtual Network has DDoS protection and Azure Firewall disabled. And everything was disabled in Microsoft Defender for Cloud.

Network Security Group (NSG):

Here's a screenshot of the Network Security Group, since both suggested the issue could arise from here. But since I can still access the Azure Function from the same IP clearing cookies, from incognito or changing the browser, doesn't seem to be caused by a rule blocking the traffic to my or my clients IPs.

I hope this helps clarify what causes the temporal blocking from specifi browser sessions or how refresh this "session" programatically.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Intermittent 403 Forbidden Error on Azure Function App (Linux Plan, Private Endpoint, Premium V3)