How to remove firewall block restriction on Azure web application URL? - azure

Some of my apps are not working from some customers site, I later discovered that this was because I am using the default websites for my app hosting that is the url is myapp.azurewebsites.net which was not whitelisted on the customers firewall. The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.
If i were to create CNAME record which has a CNAME pointer to the azure default web app for example myapp.mywebsite.com points to myapp.azurewebsites.net, will this get around the issue ? Or do I need to whitelist myapp.azurewebsites.net Or its IP address that is the IP address of myapp.azurewebsites.net ?

Firstly, by default, apps hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. So, typically, anyone with the URL without any specific local network/firewall/proxy restrictions can access the WebApp URL.
As I understand, your WebApp is open to the public and only a few users (on a specific network), have trouble accessing the site. Plus, there are no access restrictions that you have implemented from the WebApp side.
Just to highlight,
Network administrators often deploy proxy servers, firewalls, or other
devices, which can help secure and give control over how users access
the internet. Rules designed to protect users can sometimes block or
slow down legitimate business-related internet traffic. This traffic
includes communications between you and Azure over the URLs listed
here.
Reference : Allow the Azure portal URLs on your firewall or proxy server
So, on case-case basis, for the affected network, you may have them add appservice.azure.com (Azure App Services) in the allowed list.
Or
As your customer performed – “The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.” have them add the URLs to allowedlist.
Or
Since IP address of your WebApp (see the reasons for the change), the best route would be for you to set up a custom domain for your WebApp.
Kindly check this doc - Tutorial: Map an existing custom DNS name to Azure App Service
The CNAME maps to the app's default hostname instead, which is less susceptible to change. | | Wildcard | *.contoso.com | CNAME record. |
-- As a side note (as indicated above), by setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. Which is the opposite of your scenario, just sharing as FYI, in case you wish to know about access restrictions from WebApp side. Set up Azure App Service access restrictions

Related

Use CloudFlare so I can access website hosted in Azure via IP Address

I am very new to Cloudflare. So please bear with me. I need to access my website (hosted in Microsoft Azure - App Services) via IP address instead of the domain name.
To do this, I need to add HOST=www.mydomain.com into the HTTP header when requesting the website via IP address.
I heard it can be solved via Cloudflare, but the person I asked will not elaborate further. Is it possible? If yes, what service should I purchase? Any manual or instruction will be appreciated.
If Cloudflare isn't possible, do you have any service recommendations?
Thanks :)
The reason the host header is needed is because Azure App Services are multi-tenant (multiple apps on a single IP) by default. So, the server needs some way to know where to route your request to (the host name). In addition, IPs are not guaranteed to be static (they can change as you scale for instance).
It should be possible to secure a single static IP address using the following method -
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip
What is unclear is whether or not this IP would also be dedicated (meaning only your domain would use it). This is what would be required in order to allow you to access the app service without a hostname specified.
Cloudflare will not solve this issue, as it sits at the DNS layer (domain name access). Accessing a server via IP would bypass Cloudflare entirely.

Remove DNS authorization for IP address in Azure

I have a couple of web applications on an Azure server. A client allowed the domain to lapse, and I can no longer access the DNS settings for this domain. The domain's DNS settings (A records, CNAMES) are still authorized in Azure to control traffic for the server's IP address. So, any app I create on this server now resolves to the domain that is no longer under my control.
How do I get myself out of this pickle? Can I change the server's IP address? I have not been able to find out how to do that. Can I de-authorize the DNS settings that now control access to this IP address?
If you want to remove access to the app from a domain, you just remove the domain from the App Service.
DNS tells users where to go for a particular domain name.
If your app doesn't mention it as a domain, the request won't be routed to it.
Remember that addresses in Azure App Service are shared so it requires that you actually explicitly mention the domain in the app service's configuration.
Ugh. Ok, my issue was that I was redirecting to the domain in my web.config.

How do I restrict the clients that can access my Azure App Service?

Given that I create an Azure 'App Service'
How do I ensure that this service is only callable from ...
A.> 2 existing external servers (whose IP addresses will be known)
B.> 3 other App Services which I will be creating, but whose IP Addresses may not be known since I may need to scale those out (Over multiple additional instances)
To clarify... Is there some Azure service that will allow me to treat this collective of machines (both real and virtual) as a single group, such that I can apply some test on incoming requests to see if they originate from this group?
on Azure WebApps, You may wish to know; the IP Restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions) allow you to define a list of IP addresses that are allowed to access your app. The allow list can include individual IP addresses or a range of IP addresses defined by a subnet mask. When a request to the app is generated from a client, the IP address is evaluated against the allow list. If the IP address is not in the list, the app replies with an HTTP 403 status code.
You can use IP and Domain Restrictions to control the set of IP addresses, and address ranges, that are either allowed or denied access to in your websites. With Azure WebApps you can enable/disable the feature, as well as customize its behavior, using web.config files located in their website.
Additionally, VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB).
If you haven’t checked this already, checkout Integrate your app with an Azure Virtual Network for more details on VNET Integration (https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet)
I strongly suggest dropping the whole what's my IP approach and throwing in OAuth. Azure AD gives you access tokens with moderate effort —
Service to service calls using client credentials (shared secret or certificate)
Else, TLS client authentication would be next on my list. Although that tends to really suck if you have to deal with several programming stacks, TLS offloaders and what not.

Azure Traffic Manager, custom domain and 404

I got lost with Traffic Manager setup and custom domain name.
First I had two mobile apps in 2 regions (westeuropeapp.azurewebsites.net and brazilapp.azurewebsites.net) as endpoints of Traffic Manager (trafficmanager.trafficmanager.net). It was Working.
Then I wanted to use a custom domain name with subdomains: westeurope.mydomain.com, brazil.mydomain.com and trafficmanager.mydomain.com. So I followed Azure doc instructions and created CNAME for my subdomains pointing to the two mobile apps and to traffic manager. Then I added westeurope.mydomain.com (resp. brazil.mydomain.com) as hostname for my west europe mobile app (resp. brazil mobile app).
But when I navigate to trafficmanager.mydomain.com I got a 404.
I checked the DNS resolution with Dig, I can see that trafficmanager.mydomain.com has a cname to trafficmanager.trafficmanager.net which has a cname to westeuropeapp.azurewebsites.net which resolve to ip xxxx.This looks good.
If I type that ip into my browser I got 404. But if I type westeuropeapp.azurewebsites.net I got my app running. I also checked westeuropeapp.azurewebsites.net in Dig and it resolves to the same ip as above.
What am I missing? (I don't even talk about SSL, it will be next post.)
You also need to add trafficmanager.mydomain.com to the Mobile Apps as a custom domain.
App Service shares IP addresses across apps, so the only way for it to identify which app your request is bound for is the Host header. By adding the custom domain App Service knows to route requests for that domain to that app.
Once you add the mobile apps to the traffic manager, trafficmanager.mydomain.com will automatically gets added to the mobile app, in the host name assigned to site(App->Custom domain). Wait for sometime for the changes to propagate. After the trafficmanager is propogated, You need to add custom domain to both of your mobile apps.
This video has the details for adding custom domain for the traffic manager. https://www.youtube.com/watch?v=1ggz9qZpVHo

Can I map (CNAME) a custom domain to a subdomain that is part of a Wildcard on Azure Web Apps?

I have a website on Azure Cloud Services, and I have enabled a wildcard for my website like: *.mywebsite.com
Then if a customer registers and select as his subdomain: client1.mywebsite.com, I only save the subdomain associated with my customer in the database. I don't need to do anything on the portal. This works as well on Azure Web Apps (Azure Websites).
Now, if my client goes to his domain provider and sets a DNS entry like:
www.client1.com CNAME client1.mywebsite.com
I can handle that correctly in Cloud Services without having to register "www.client1.com" in the Azure Portal. Is that possible in Azure Websites without having to add www.client1.com to the Azure Portal?
Short answer, no, it is not possible.
Explanation.
What you type in the address bar is the name that is presented to a web server in the HTTP request. Regardless of the underlying DNS responses. If a DNS look up of www.example.com provides an IP Address, whether a CNAME or an A record, that is where it will go and get data from. The only way to change that is with a HTTP Redirect.
In Azure the incoming server name is used to direct traffic to the correct web app (On the same set of IP Addresses there might be thousands of other websites registered) The only way it knows how to distinguish where to send the request is from the incoming server name.
Why this worked on Cloud Services.
Behind a cloud service was an IP Address that was unique to your servers behind it. When a cloud service got a HTTP request, it would process it, because there was nowhere else to send it.

Resources