Add articles/azure-app-configuration/rest-api-network-errors.md

austintolani · austintolani · commit db6de48601dd · 2025-12-17T17:41:42.000Z
diff --git a/articles/azure-app-configuration/TOC.yml b/articles/azure-app-configuration/TOC.yml
@@ -380,6 +380,8 @@
           href: ./rest-api-consistency.md
         - name: Common headers
           href: ./rest-api-headers.md
+        - name: Network access errors
+          href: ./rest-api-network-errors.md
         - name: Throttling
           href: ./rest-api-throttling.md
         - name: Versioning
diff --git a/articles/azure-app-configuration/rest-api-network-errors.md b/articles/azure-app-configuration/rest-api-network-errors.md
@@ -0,0 +1,47 @@
+---
+title: Azure App Configuration REST API - Network access errors
+description: Reference page for network access errors when using the Azure App Configuration REST API
+author: maud-lv
+ms.author: malev
+ms.service: azure-app-configuration
+ms.topic: reference
+ms.date: 12/17/2024
+---
+
+# Network access errors
+
+This article describes network access related errors that can occur when making requests to the Azure App Configuration data plane. 
+
+## IP address rejected
+
+When public network access is disabled for a configuration store, requests will be rejected unless they meet the criteria for inbound access.
+
+### Error response
+
+```http
+HTTP/1.1 403 Forbidden
+Content-Type: application/problem+json; charset=utf-8
+```
+
+```json
+{
+  "type": "https://azconfig.io/errors/ip-address-rejected",
+  "title": "Access to this resource is governed by a network access policy. The client IP address fails to meet the criteria for access.",
+  "status": 403
+}
+```
+
+**Reason:** The configuration store has public network access disabled and the IP address that the request originates from doesn't meet the criteria for inbound access.
+
+**Solution:** 
+
+- When a configuration store has public network access disabled, requests must originate from within a virtual network via a private endpoint.
+- Verify that the client making the request is within a virtual network and the relevant [DNS changes](./concept-private-endpoint.md#dns-changes-for-private-endpoints) are in place to ensure the endpoint of the store resolves to the IP address of a private endpoint.
+- Verify that the private endpoint connection associated with the private endpoint has been approved. 
+
+## Related documentation
+
+- [Use private endpoints for Azure App Configuration](./concept-private-endpoint.md)
+- [Set up private access in Azure App Configuration](./howto-set-up-private-access.md)
+- [Disable public access in Azure App Configuration](./howto-disable-public-access.md)
+- [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md)
diff --git a/articles/azure-app-configuration/rest-api.md b/articles/azure-app-configuration/rest-api.md
@@ -27,5 +27,6 @@ The documentation on the [control plane](../azure-resource-manager/management/co
 - [Authorization](./rest-api-authorization-index.md)
 - [Consistency Model](./rest-api-consistency.md)
 - [Common Headers](./rest-api-headers.md)
+- [Network Access Errors](./rest-api-network-errors.md)
 - [Throttling](./rest-api-throttling.md)
 - [Versioning](./rest-api-versioning.md)
