App service VNet Integration doesn't work correctly when using a default TcpClient

[jgoyvaerts]

Situation:

• Setup an app service and a vm which you want to reach from the app service.
• Integrate everything with VNet integration
• Attempt to connect from the App service to the VM by using a default TcpClient

using (TcpClient client = new TcpClient())
{
    await client.ConnectAsync("10.0.0.2", 1234);
}

The TcpClient will default to a IPv6 socket (because the OS supports it), and an exception will occur:
ExtendedSocketException: An attempt was made to access a socket in a way forbidden by its access permissions [ipv6 address]

Setting the tcpclient explicitly to AddressFamily.InterNetwork fixes the issue, but this isn't a solution when using third party libraries to perform the connection.

Not sure if this is a bug in .NET core or azure app service, but it severely limits the use of App Service VNet integration

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: a7a98803-1438-b1b5-f543-7dd88bc4294e
• Version Independent ID: 37ff1d0f-ed8e-5e4d-1f4c-1b9f6cffb938
• Content: Integrate app with Azure Virtual Network - Azure App Service
• Content Source: articles/app-service/web-sites-integrate-with-vnet.md
• Service: app-service
• GitHub Login: @ccompy
• Microsoft Alias: ccompy

[DixitArora-MSFT]

Hi @jgoyvaerts Thanks for reaching out. We will review and update as appropriate.

[AjayKumar-MSFT]

Apologies for the delay! We had been checking on this internally. Your feedback has been shared with the content owner for further review.

[HoLengZai]

Hi,
Any update on that issue?
It seems I got a similar issue. When I send an email from my App Service without the Application Settings WEBSITE_VNET_ROUTE_ALL=1, I can send an e-mail to smtp.office365.com:587 without any issue using .Net Core 3.1 but as soon I set the value to route all outbound to the Vnet with the Vnet integration, i got the following message:

 System.Net.Mail.SmtpException: Failure sending mail.
  ---> System.Net.Internals.SocketExceptionFactory+ExtendedSocketException (10013): An attempt was made to access a socket in a way forbidden by its access permissions. [::ffff:40.101.12.98]:587

In the meantime, i'm going to use Mailkit as recommended on MS docs to handle modern auth mode. Hope this issue will be fixed soon

[HoLengZai]

Hi,
I got a ticket with MS Support, and indeed the issue is that some client libraries don't force IPv4 (as TcpClient) as the virtual NIC installed on the App Services workers (for regional VNet integration) don't support IPv6.

Since SmtpClient relies on TcpClient, using Mailkit fixed my issue to send e-mail to smtp.office365.com:587.

In the meantime, it will be great that this issue is documented on MS docs website
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration

[fgarcia-cnb]

We just experienced the same issue with the System.Net.Mail smtpclient. Mailkit works, but we also got another possible fix from MS support: Add the following app setting:

WEBSITE_VNET_SUPPORT_DUAL_STACK_SOCKETS=1

did the trick for us

[JohnYoungers]

@fgarcia-cnb that setting resolved our problem yesterday as well: Thank you!

What are the odds I'd be viewing an issue that hasn't been commented on in 6 months and a magical solution appears that moment.

[RyanHill-MSFT]

Apologies for the delayed response regarding adding WEBSITE_VNET_SUPPORT_DUAL_STACK_SOCKETS but glad it was able to resolve the issue.

[lonevvolf]

Is the WEBSITE_VNET_SUPPORT_DUAL_STACK_SOCKETS setting documented anywhere other than here?

[RyanHill-MSFT]

I didn't see @lonevvolf. I'll get this added to https://docs.microsoft.com/en-us/azure/app-service/reference-app-settings?tabs=kudu%2Cdotnet and mention it usage in this doc.

Apologies for that.

[techmantel]

@RyanHill-MSFT Can't find this in the documentation link you referred to. As a matter of fact, can't find it anywhere in any official documentation. Am I just bad at googling or is it still not documented? 😅