Whitelisting Azure Kubernetes external IP in azure App Service - azure

I have a ingress controller loadbalancer for kubernetes cluster which has an external IP
I have another app service which has network restrictions. I should be able to acess this App Service with the external IP of k8s, i have from above load balancer by whitelisting it.
I have whitelisted but it is not working and it is giving 403 forbidden as response.
Is this is the IP we should use for whitelisting or do we have to do any other process. I have used this load balancer IP for subdomain mapping as well and it is working fine but unable to access App service when i whitelisted it but I am able to access App service when i have whitelisted a other vm IP address.

If you are using the Azure CNI, Pod IPs are first-class members in the virtual network. You should add an allow rule for the entire Kubernetes Pod IP range to make this work.
If you want more control over the outgoing IP address you can set that up with an egress gateway in your service mesh of choice. For example Istio.

Related

Azure Virtual Machine cannot resolve DNS entry of Application Gateway

I have the following situation:
If I deploy an application (Deployment, Service and Ingress) in my kubernetes cluster, my ingress deployment is being automatically added to my application gateway (I am using the Azure Application Gateway Ingress Controller; https://azure.github.io/application-gateway-kubernetes-ingress/annotations/ ). So far so good.
That means that my application can be reached via my application gateway via https://my-app-gateway-public-ip/myAppPath/. Also, I have an additional private DNS zone which makes my app accessible via https://dns-name/myAppPath.
Additionally, we have an AADDS in combination with a Bastion Service. Deployed some virtual machines and the virtual machines use the DNS resolver of the AADDS (for authentication against the AAD).
The problem is: If I am outside of the cloud, I can nslookup the dns or can access the site via the ip, but I cannot do that with my virtual machines. My DNS server (within the AADDS) is unable to resolve the dns or accessing the ip. I am wondering what the issue is.
The bastion and AADDS are in different subscriptions and therefore different virtual networks. I established already a peering between those virtual networks (or the authentication between the AADDS and the VMs wouldn't work).
The kubernetes cluster and the application gateway are also in a different subscription, but no peering has been done so far.
Are there any hints what I could be missing?
Kind regards
• Since, you are using a Bastion gateway server to connect to the VMs hosted in your subscription, the Bastion gateway server must be having a public IP address through which then the registered underlying VMs can be connected to via private links created in the private DNS zones associated with a particular virtual network in a subnet and an assigned private IP address and a FQDN accordingly. Thus, if you want to access the application website hosted behind the application gateway, then you will have to create a conditional forwarder in the DNS zone in AADDS to redirect the internal requests from the VMs hosted within a virtual network to the public IP address of the website hosted behind the application gateway
• Thus, a conditional forwarder forwards the DNS resolution requests for a particular resource hosted on the public internet for which the DNS host resolution is not found or done in that DNS zone which usually serves or fulfils the requests related to internal environment. As a result, when a VM configured with a private IP is registered as a host in the internal DNS zone queries the public IP or FQDN associated with the application’s website, the DNS requests are forwarded to the public internet through the conditional forwarder and then the results are displayed in the VM’s browser for the application’s webpage. Thus, the VMs don’t need to have internet access but the DNS server should have or should forward the requests through the Internet proxy server accordingly to reach the internet.
For more information on creating conditional forwarder in AADDS, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#create-conditional-forwarders

What should be the IP Address Requirement for App Service Creation?

We would like to create Azure App Service / Azure Function App resources for our new project and try to understand the IP Address Requirement. I am looking for this information so that I could allocate the subnet size accordingly.
Each App Service will just consume 1 App Address or More? I am new to App Service and haven't used the App Service before. So if someone could clarify in detail, it would be great.
I have created an App Service in our Virtual Network and I could see for Inbound Traffic one IP Address is Assigned and for Outbound, there are many IP Addresses assigned. So bit confused in allocating the IP Addresses.
There are a few IP addresses to be aware of in an App Service Environment. They are as follows:
Public inbound IP address: Used for external app traffic and management traffic in both internal and external deployments.
Outbound public IP: This is the IP address that is used as the "from" ip for connections that exit the virtual network. These connections do not go through a VPN.
Internal load balancer IP address: This address is solely used for internal purposes.
App-assigned IP-based TLS/SSL addresses: These addresses are only possible when using an external deployment and configuring IP-based TLS/SSL binding.
The App Service Environment UI in the Azure portal displays all of these IP addresses.
Please refer to these links as well for more information -
IP addresses ,
App Service Environment networking

Access Azure website by IP cause 404 error

I have an azure website that I can access by
myname.azurewebsites.net
In Azure dashboard, the IP is 104.214.237.135
When I try to access my website by IP I have a 404 error
I don't understand. My plan App Service is S1
Regards
Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.
App Service Environments use dedicated network infrastructures, so apps running in an App Service environment get static, dedicated IP addresses both for inbound and outbound connections.
Azure AppService IP addresses are shared between tenants and not guaranteed to be static. Your app is bound to the hostname, not the IP address. Unless you are using App Service Environment, you cannot use a static / dedicated IP address with Azure AppServices. You can add additional custom hostnames to your app.

App Service IP Restriction for Application Gateway with WAF

App Service IP Restriction for Application Gateway with WAF
I want to setup Application Gateway WAF in front of multi-tenant (non-ASE) App Service Web Apps.
I know this is possible now, according to official document.
For security, inbound traffic to Web Apps should be restricted to only allow requests for connection the application gateway Public IP. But I couldn't find the way to do it.
Idea 1. Using VNet integration:
It's not possible to using "App Service Vnet Integration" cause it's not possible to specify App gateway's VNet.
Moreover, in my understanding, VNet integration can't restrict inbound traffic.
Idea 2. Using IP Restriction config of App Service:
Application Gateway's Public IP Address can be configured as Dynamic one, Static IP Address can't be chosen.
So, I think it's not possible to specify Application Gateway's Public IP Address to IP Restriction config of App Service, cause configured IP is static but actual IP can be changed.
Any good idea?
The Application gateway IP address can change if the gateway is stopped and started by the customer.
So if you have not stop and start the application gateway, the IP address will not change.

Limit access to public ip (whitelist)

I want to set up a kubernetes cluster with a loadbalancer. Kubernetes will create a load balancer in azure and connect a public ip address with it.
But I don't want to make the api public, it should be exclusive for my api management service.
I tried to direct the load balancer into a vnet with the api service but I found nothing.
So I thought I could just limit the access to the public ip (a whitelist with only the incluced ip of my service) but I found nothing on the internet.
Is it possible to set such rule on a public ip or do I need some extra service for this problem?
With Kubernetes, assuming you have a service defined
Use the following commands:
kubectl get service
kubectl edit svc/<YOUR SERVICE>
change the type from LoadBalancer to ClusterIP
Now you can consume internally the service.

Resources