I have multiple azure functions that are invoking external APIs and I want all the requests to come from a single IP or a set of IP's so that the external APIs can whitelist my azure functions.
Question: Find a way to have a small set of outbound static IPs for azure functions in a multi AZ deployment. Preferably using serverless or managed services
Attempt 1 Deployment diagram:
Problem with this: NAT Gateway is only on one AZ (even if we chose no zone)
Attempt 2
According to the best practices for NAT Gateway you can have one NAT gateway per AZ if all the resources inside of that subnet are in a single AZ link
Problem: I don't know if it's possible to restrict an azure function to a specific AZ
Attempt 3
Azure Firewall is one alternative that I explored, but it is too expensive for our needs (900$ per month per instance without any traffic, if I understood correctly 1800$ for 2 AZs) while NAT Gateway cost is around 35$ per instance without any traffic.
Any suggestions? or things that I did not understood correctly?
Azure Consumption Plans do not offer any "advanced" networking feature. You need to look at the premium plans.
Azure function premium will over multi-az feature but it will then have one "active" instance per AZ.
You can then also integrate it into a vnet and control then the traffic flow.
Another Option would be to use the egress IPs of the App Service Plan (requires premium or an app service plan S1 or higher)
But Premium Functions come also at a price - but Consumption function do not offer any networking feature.
https://azure.microsoft.com/en-us/pricing/details/functions/
Related
I have an Elasticsearch cluster that I need to access using an Azure Functions App. The current way to access it is via an IP whitelist. I've created my consumption plan Azure Functions and noticed that the IP address kept changing and after further research found that I'd need to whitelist the whole Azure Cloud which is not a secure option in our case. So I've upgraded Azure Functions to Premium plan and thus the VNet Integration appeared in the app settings allowing me to create a Virtual Network and a static Outbound IP Address.
Now it is working.
But since I'm using the Premium plan and the other mentioned services, the cost went up.
I've experimented with Azure Data Factory in the past and there was an option to install a local Integration Runtime so when ADF was accessing Elasticsearch via the Local Integration Runtime, it worked. Is there something similar I can use with Azure Functions? Like a Data Gateway I can install on a local server that is already whitelisted on Elasticsearch and all I'd need to do is connect from Azure Functions through it?
I guess the ideal scenario I'm looking for is to be able to use a Consumption Plan on Azure Functions.
Kind Regards,
Andrei
Just to close this one, in the end, I've used a Standard AppSevicePlan (S1) (costs $74|£51/month or about $2.5|£1.7/day). I've had to create a static Outbound IP, a NAT Gateway (which costs about another $30|£23/month or $1|£.77/day) and a VNET.
The tutorial can be found here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-nat-gateway
Another option that I've considered to reduce cost was to use a Hybrid Connection which would install a sort of gateway to a local server to which Azure Functions would connect first before reaching the ES endpoint...that would eliminate the need for the Outbound IP, NAT Gateway and VNET (so $30 less per month) but would still require at least an S1...so no option on consumption-based, and I don't know if there is any charge associated with this. However, we didn't go with this option as we want to eliminate any local dependencies (e.g. if the server where the gateway is running would shut down).
To sum up, use an S1, follow the tutorial mentioned above and should cost about $104|£74/month
I am trying to solve a problem. I have to access APIs that are hosted on my on premises server (on-prem) from Azure hosted Web API.
The problem is that my on-prem server only allows white listed IPs. I know we can get outbound IPs from our Web App (Azure hosted). But I am not sure whether they are static or will change based on scaling.
Another Solution is to create VNET and add that Web app into that VNET. But I would like someone to suggest better solutions.
There are couple of choices you have.
First, you can have a look at the possibleOutboundIpAddress of your App Service and whitelist this IPs. This however also opens up the door for IPs not really in use by your App Service.
az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses --output tsv
Secondly, you can put a NAT Gateway in-front of your App Service. This however requires an App Service Plan that supports virtual network integration.
Configure regional virtual network integration from within your app service.
Force all outbound traffic originating from that app to travel through the virtual network. This is done by setting WEBSITE_VNET_ROUTE_ALL=1 property in your web app configuration
Create a public IP address.
Add a NAT gateway, attach it to the subnet that contains the app service and make use of the public IP created in step 3.
If you would also like to use a static inbound IP you can find more information here
The outbound IPs for Azure App service are generally static and will not change on scaling. There are normally 4 outbound IPs and they only change if you change the SKU or there is a need at MS end to increase the capacity of their data center (rare or may never happen in near future).
I would recommend creating a VNET as that is more secure than whitelisting IPs at your on prem service. But if you want to want list the outbound IPs, I would recommend creating a wrapper for your on prem APIs in Azure and whitelist IPs for these in your on prem firewall. This will ensure that you don't have to whitelist every time you want to create an API in Azure that needs to access on prem APIs.
Unfortunately there is no straight forward way to do this in Azure for App Services, I also had this issue recently.
The only solution (for now anyway) is to add the list of outbound IPs of the App Service to your allow rules.
Just be careful with scaling between the tiers because it will change the outbound IP addresses. (https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#when-outbound-ips-change)
The simplest way would be to use an Azure VM with a static public IP which is used for both inbound and outbound.
Sam Cogan has a good blog post where he does go through a couple of options.
(https://samcogan.com/obtaining-a-static-outbound-ip-from-an-azure-virtual-network/)
A hybrid connection might be a solution https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections? I think they are designed for accessing on premise services.
How to implement Azure traffic management for Azure API management. I am confused with the implementation steps.
What I've tried:
Consider I have two API's in two regions.
1) http://xxxxx.azure-api.net/application1/service
2) http://xxxxx.azure-api.net/application2/service
So, how to implement.
First I created traffic management profile and got address like mysite.traffic-manager.net.. ,after that I have given DNS name(FQDN) as xxxxx.azure-api.net.
So, what is the next step.
Get a DNS certificate for mysite.traffic-manager.net and use that to setup custom hostname - mysite.traffic-manager.net - on both APIM services. Setup TM too forward calls to XXX.azure-api.net and YYY.azure-api.net. Optionally setup health probes for /status-0123456789abcdef to monitor APIM status and take it out of rotation if service is down for some reason.
Or scale up to Premium tier and use multi-geo feature to add second region to single APIM service. Then all you need to do is setup custom hostname, TM will be created internally with performance profile. Although that is more expensive than having two basic/standard services with custom TM infront.
I would like to create a simple architecture on Azure. My high level design is very similar to the picture below (source: https://www.import.io/post/using-amazon-lambda-and-api-gateway/)
I do want to access the internal services via the Azure API Management. What I can see on Microfos documentation page is that this simple and secure architecture is not mentioned as a reference:
https://learn.microsoft.com/en-us/azure/container-service/container-service-kubernetes-walkthrough
I have the following issues:
API Management cannot be assigned to a Virtual Network if there is at least one NIC is using the same network (why?)
Even with peered Virtual Networks I cannot access 10.244.X.0/24 network (pods' network) because only 10.240.0.0/16 is owned by the k8s Virtual Network. How can I access cluster ips (10.0.0.0/16) and pod ips (10.244.0.0/16)?
Well, you don't need an Extra VNET, but just an extra Subnet. That Subnet could lie within your existing VNET. The Size of Subnet can be the smallest /29 which Azure supports.
The Extra Subnet requirement for API Management comes from the fact, that it is built on PAAS V1 (Classic) technology. While we can deploy into a Resource Manager VNET (V2 layer), there are consequences to that. The Classic deployment model in Azure are not tightly coupled with Resource Manager model and so if you create a resource in V2 stuff, the V1 doesn't know about it and problems can happen such as API Management trying to use an IP that is already allocated to a NIC (built on V2).
To learn more about difference of Classic and Resource Manager models in Azure refer to blog difference between Classic and ResourceManager models
The answer is basically YES although the setup is not trivial.
You need:
One extra VNet for the API Management (EDIT: an extra subnet is enough)
One service (kubernetes terminology)
Steps:
Peer the Kubernetes VNet and the extra VNet you have created (test it)
API Management -> Virtual network: change to External
Choose as Virtual Network the one extra VNet (lets call it 'apimgmntvnet') and a Subnet
Save it! Drink a beer because it took me 1h!
Meanwhile expose your deployment internally:
kubectl expose deployment app --port=<serviceport> --name=app --target-port=<containerport> --type=NodePort (NodePort is important!LoadBalancer type triggers kubernetes to dynamically configure the Azure External LB for Kubernetes install)
Check node IP:PORT on kubernetes (kubectl proxy) BUI
API Management -> Publisher portal: modify your API to the IP address (AgentIP:30361)
Theoretically it should work. It is advised to start with a VM in the apimgmntvnet and try peering first from the VM and than delete it (API Management cannot be part of a VNet where at least one NIC is present (?!) ).
what is the AWS security groups equivalent in azure
if there is any in azure is this only for the PaaS services or also for IaaS ?
According to Amazon EC2 Documentation, a security group is just a single point for firewall settings applied to a given instance:
A security group acts as a firewall that controls the traffic allowed
to reach one or more instances. When you launch an instance, you
assign it one or more security groups. You add rules to each security
group that control traffic for the instance.
In Windows Azure you have to set these rules on a per-instance or per-service basis, there is no way to define some rules and apply them automatically to all instances.
But you can use PowerShell cmdlets for automating this task for your services.
Firewall rules apply mostly for PaaS: for your web/worker role services and for SQL Azure. In case of IaaS there are two sides: your VM with custom software firewall (depending upon your OS etc.) and the endpoints you create and manage in Azure Portal that relay in- and outbound traffic to your VM.
Azure Network security groups and other related improvements were announced today:
http://weblogs.asp.net/scottgu/azure-new-marketplace-network-improvements-new-batch-service-automation-service-more
Network Security group in Azure is the option you are looking for. But there is no option to create it directly. But can be created while creating Virtual Machines and can be associated with multiple Virtual Machines. For more detail,
http://tehcbase.com/aws-security-group-equivalent-in-microsoft-azure/