API MANAGEMENT block custom domain - azure

We have an API management instance and we have set up 2 custom domains, one public and one private:
Some API's have to be reachable only internally with api-internal.domain.com. It works but I see that if I configure both custom domains, api-internal.domain.com is configured only on private DNS zone, that API's are reachable also from api.domain.com.
Is the beavhior correct? I want to setup on APIM in some way api-internal.domain.com to be reachable only internally. I'm reading the doc microsoft and I can with policy but the API's are always reachable from public domain, they will be blocked but I want to avoid it.
Thanks

That is by design, as long as the service is not deployed to a VNET (internal mode), the default and custom domains will always have public Azure DNS records pointing to the public IP address.
The solution here is to deploy your service to a VNET (internal mode) and expose the public Apis to the internet using an application gateway that is configured to use path-based routing with your public domain to be configured to point to the application gateway public IP address. Regarding your internal Apis you can configure your private domain to be pointing to the internal IP address (private load balancer) of the APIM service.
See the below resources
https://learn.microsoft.com/en-us/azure/application-gateway/create-url-route-portal
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

Related

Azure Virtual Machine cannot resolve DNS entry of Application Gateway

I have the following situation:
If I deploy an application (Deployment, Service and Ingress) in my kubernetes cluster, my ingress deployment is being automatically added to my application gateway (I am using the Azure Application Gateway Ingress Controller; https://azure.github.io/application-gateway-kubernetes-ingress/annotations/ ). So far so good.
That means that my application can be reached via my application gateway via https://my-app-gateway-public-ip/myAppPath/. Also, I have an additional private DNS zone which makes my app accessible via https://dns-name/myAppPath.
Additionally, we have an AADDS in combination with a Bastion Service. Deployed some virtual machines and the virtual machines use the DNS resolver of the AADDS (for authentication against the AAD).
The problem is: If I am outside of the cloud, I can nslookup the dns or can access the site via the ip, but I cannot do that with my virtual machines. My DNS server (within the AADDS) is unable to resolve the dns or accessing the ip. I am wondering what the issue is.
The bastion and AADDS are in different subscriptions and therefore different virtual networks. I established already a peering between those virtual networks (or the authentication between the AADDS and the VMs wouldn't work).
The kubernetes cluster and the application gateway are also in a different subscription, but no peering has been done so far.
Are there any hints what I could be missing?
Kind regards
• Since, you are using a Bastion gateway server to connect to the VMs hosted in your subscription, the Bastion gateway server must be having a public IP address through which then the registered underlying VMs can be connected to via private links created in the private DNS zones associated with a particular virtual network in a subnet and an assigned private IP address and a FQDN accordingly. Thus, if you want to access the application website hosted behind the application gateway, then you will have to create a conditional forwarder in the DNS zone in AADDS to redirect the internal requests from the VMs hosted within a virtual network to the public IP address of the website hosted behind the application gateway
• Thus, a conditional forwarder forwards the DNS resolution requests for a particular resource hosted on the public internet for which the DNS host resolution is not found or done in that DNS zone which usually serves or fulfils the requests related to internal environment. As a result, when a VM configured with a private IP is registered as a host in the internal DNS zone queries the public IP or FQDN associated with the application’s website, the DNS requests are forwarded to the public internet through the conditional forwarder and then the results are displayed in the VM’s browser for the application’s webpage. Thus, the VMs don’t need to have internet access but the DNS server should have or should forward the requests through the Internet proxy server accordingly to reach the internet.
For more information on creating conditional forwarder in AADDS, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#create-conditional-forwarders

App Gateway configuration with Private Endpoint enabled web apps

I am trying to expose my Front End and Function Web Apps using App Gateway. Both of those apps belong to one app service plan.
They are also private endpoint enabled and VNET integrated.
I have databricks in another tenant which needs to feed data to my Function App
So for that reason i need to expose my Function App.
As for the Front End App, it needs to be accessed by all the employees belonging to a particular business unit.
So my question is , when i am configuring listeners, and the backend pool, should i be using the *.privatelink.azurewebsites.net FQDN or the normal *.azurewebsites.net FQDN as the backend pool ?
When you are using Private Endpoint, you already have a CNAME which maps *.privatelink.azurewebsites.net to *.azurewebsites.net and you also have an 'A' record for your private endpoint.
So while configuring App Gateway with Private Endpoint enabled web apps, what is it that you should be using as your backend
You have to use the normal *.azurewebsites.net FQDN instead of the private link one. This normal FQDN automatically resolves to the private link FQDN. The normal FQDN will throw an error when called from a public network when a private endpoint is attached to it because it cannot resolve the private address so your service isn't exposed anymore for the outside world (unless they have public access through your application gateway of course)

Azure - Application Gateway without public IP

I'm trying to deploy my application on Azure. Currently, I have an application gateway deployed in one subnet s1, and in the backend pool I have Linux VMs. As per the requirement, I cannot use any public ip so, I'm using only private ip on Application Gateway. Since we need the internet connection at the time of deploying application, I tried attaching NSG to the Application Gateway's subnet with inbound "Internet" allowed. When I attached the NSG to application gateway subnet, the backend health showed as unhealthy with error:
"Cannot connect to server. Check whether any NSG/UDR/Firewall is blocking access to server. Check if application is running on correct port."
I tried to add rules specified in MSFT's document https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview#allow-application-gateway-access-to-a-few-source-ips but its not helpful. So my questions are:
Is there anything more I need to add to NSG on application gateway's subnet.
Is it a good strategy to allow internet access using the inbound rule on NSG? (Inbound rule -> service tag -> Internet). Is there any other way I can have internet access just at the time of deployment? PS: I'm not allowed to use public IP at all.
Many thanks!
You can deploy Application Gateway with Public IP and Private IP. All you need to do is to create the listener with the private Frontend IP and leave the Public IP as such.
Since Public IP is not attached with any of the listener, no one will be able to access your site from Internet via Public IP of your Application Gateway.
When AppGW needs to initiate outbound to Internet, it uses that Public IP.
Note: You cannot have only Private IP as Frontend in V2 deployment and you can deploy Application Gateway with only Private Frontend IP in V1 SKU.

Whitelisting Application Gateway (WAFv2) Frontend IP results in 403 on App Service using access restrictions

My health probe fails with a 403 as soon as I apply whitelisting to the App Service configured in the backend pool (I whitelist the IP that's assigned to the application gateway. IP is a standard tier and static.
Has anyone else been seeing this issue before? I was under the impression that I could whitelist the public IP assigned to the application gateway on the App Service so access is only possible from the Application Gateway endpoint.
The health probe is successful when I remove the whitelisting. So I'm sure it has something to do with that.
According to the document,
If the backend pool:
Is a public endpoint, the application gateway uses its frontend public
IP to reach the server. If there isn't a frontend public IP address,
one is assigned for the outbound external connectivity.
Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using
its instance private IP addresses.
Contains an external endpoint or an externally resolvable FQDN, the
application gateway routes the request to the backend server by using
its frontend public IP address. The DNS resolution is based on a
private DNS zone or custom DNS server, if configured, or it uses the
default Azure-provided DNS. If there isn't a frontend public IP
address, one is assigned for the outbound external connectivity.
Thus, you may use an internally resolvable FQDN or a private IP address of the backend app service in the backend pool.
In this case, you could change to use the default Azure app service hostname like webappname.azurewebsites.net or whitelist the internal app gateway subnet (where the application gateway instance private IP address) in the access restrictions of app service.

Azure Virtual Machines(ARM) | Application Gateway | Private ip | DNS

I have an Internal application gateway configured in Azure. There is one virtual machine in the back end pool of application gateway which hosts the application. That is accessible via Intranet only.
I want the IP address of my internal application gateway to be associated to a domain name for my website?? How can i achieve this?
If you want to use a domain name, that means the application gateway needs to have a public IP address. In the gateway settings in the Azure portal, you can add a public IP address to the frontend configuration.
Looks like you already managed to put the backend of the gateway on the virtual network, that's good.
Next, you want to create a listener on the ports you need, for example 80 or 443. This is also done on the gateway configuration in the portal.
Finally, to use a domain name, you need to take the public IP address and put it in an A-record for the domain name. This would probably be in a config page with your service provider.

Resources