Access restriction for app service holding ocelote api gateway project - azure

I have deployed few .net core microservices along with ocelot api gateway and react application using azure app services.
Every app service is running in its own app service plan and subnet with vnet integration enabled. I am able to restrict direct access to microservices through service end points.
The problem is, I want to restrict access to api gateway app service so that it only accepts traffic from react application app service. Whenever I try to do so through vnet integration and service endpoints, my application stops working with 403 IP forbidden.
Is there any way I can achieve the desired result?

Related

An attempt was made to access a socket in a way forbidden by its access permissions. (localhost:5001)

I'm facing issue with my multiple project solution in .net core webAPI. I've gatewayAPI which internally makes call to different microservices via http call.
Gateway API URI exposed to outer world which has domain as azure app name but the internal calls from gateway to microservices are configured with http://localhost:5001/{apiEndPoint} which is working fine in my local machine but after deploying it on azure app service I'm getting below error:
PostToServer call URL:'http://localhost:5001/api/authservice/authenticate' with Exception message An attempt was made to access a socket in a way forbidden by its access permissions. (localhost:5001).
Can someone please help me with this, I'm new to azure and learning on my own but could not find any solution for this yet.
PS: After going through some YouTube videos and blogs I got to know we have to use AKS but I'm not confident in that.
Would really appreciate any help on this issue.
The Gateway API you deployed to azure app service, it doesn't support custom port usage for 5001. Azure App Service only supports port 80|443(HTTP|HTTPS).
If you must use multiple ports in your actual project, then it is recommended to check whether Azure Cloud Service meets your needs. But it not the best choice.
The Best Practice:
Microservices architecture design
In short,create a Azure Gateway service, and your other microservice can be deployed in any where.(azure app service, vm or aks)
You just make sure you can access your microservices in your internal or public network environment.
If you're just learning, or the app isn't actually used by a lot of users, you can try the following suggestions:
Use SignalR (not azure signalr) to replace the websocket in your current project.
You have on azure app service, you can deploy your Gateway API Application to app service, and your other microservices can be deployed to Virtual Application in azure app service.

How to expose internal azure app service to publicly available

I have created an Azure App Service inside an Internal App Service Environment. I want to make API App publicly available using Application Gateway.
Can anyone suggest me how to do it?

Azure web app uses IP outside of the outbound IP range

I have a .net core web application deployed as an Azuere web app. This web app makes an API call to another web application deployed on-premise. The on-premise web applciaiton logs the IP address of the client applciation.
When the Azure web app makes an API call to an on-premises web application, the client IP address logged is different than the range of outbound IPs defined for the Azure app. I alwyas thought that the Azure web app uses one of the outbound Ips while communicating with other applciations. This does not seem to be the case.
I have added my Azure Web app to vnet. Does this have anything to do with the above observation?
Is there a proxy used by the Azure when Azure Web app makes external calls?

Do i need point to site vpn with azure waf and web app

I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.
I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.
My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like
INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB
but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.
Thanks
As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.
VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.
In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.
Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.
If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.
If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.
We have it all documented here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal

Access Azure App Service RESTful endpoints from On Premise resources using VPN

I have an on premise desktop application and I need it to hit Web APIs I have living in an App Service Web App (on an App Service Plan) in Azure.
My on premise resources are connected over a site to site VPN and I was wondering if there is a way I can call these Web API services(in an app service) directly over the VPN instead of going to the public endpoint.
The "normal" App Service Plan exists in a multi-tenant environment so this is not possible. You would need to use an ASE (App Service Environemnt) to use advanced networking features like VPN and NSG.

Resources