App Gateway configuration with Private Endpoint enabled web apps - azure

I am trying to expose my Front End and Function Web Apps using App Gateway. Both of those apps belong to one app service plan.
They are also private endpoint enabled and VNET integrated.
I have databricks in another tenant which needs to feed data to my Function App
So for that reason i need to expose my Function App.
As for the Front End App, it needs to be accessed by all the employees belonging to a particular business unit.
So my question is , when i am configuring listeners, and the backend pool, should i be using the *.privatelink.azurewebsites.net FQDN or the normal *.azurewebsites.net FQDN as the backend pool ?
When you are using Private Endpoint, you already have a CNAME which maps *.privatelink.azurewebsites.net to *.azurewebsites.net and you also have an 'A' record for your private endpoint.
So while configuring App Gateway with Private Endpoint enabled web apps, what is it that you should be using as your backend

You have to use the normal *.azurewebsites.net FQDN instead of the private link one. This normal FQDN automatically resolves to the private link FQDN. The normal FQDN will throw an error when called from a public network when a private endpoint is attached to it because it cannot resolve the private address so your service isn't exposed anymore for the outside world (unless they have public access through your application gateway of course)

Related

How to integrate 2 app services into the same vNet

I have two app services that i want to allow inbound calls only from my vNet. I am able to create a private endpoint and its private dns zone for the first one and it is working. But when i do it for the second one the portal wants me to use the same private dns zone. I cannot choose a different private zone! And if i configure the my second private endpoint through the portal by adding the configuration that links to that second private zone it is getting missconfigured!
Im really stuck in this. My questions are, first Is it possible to integrate two app services into the same vNet?
Second, how can i configure the second private endpoint to be able to work correctly?
Big Thanks to any advice!
I Tried everything to configure that through the azure portal with no luck!
I tried to reproduce the same in my environment like below:
I created two app services to allow inbound calls vNet like below:
App service 1
App service 2
I added outbound traffic of vnet integration like below
I try the same to add my private endpoint with app service 1 it configure successfully with private DNS zone like below:
When I try to add another app service with private endpoint it associates with same private DNS zone only.
Note that: It is not possible to add second private DNS zone within the resource group even I try to add different vnet integration with another app service it associate with same private DNS zone only
Check this similar thread As suggested by Cloudkollektiv you can make use of service endpoint it is similar to private endpoint. It enables private IP addresses in the VNet to reach the endpoint of an Azure service without need for a public IP address on the VNet.
Reference:
Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn

API MANAGEMENT block custom domain

We have an API management instance and we have set up 2 custom domains, one public and one private:
Some API's have to be reachable only internally with api-internal.domain.com. It works but I see that if I configure both custom domains, api-internal.domain.com is configured only on private DNS zone, that API's are reachable also from api.domain.com.
Is the beavhior correct? I want to setup on APIM in some way api-internal.domain.com to be reachable only internally. I'm reading the doc microsoft and I can with policy but the API's are always reachable from public domain, they will be blocked but I want to avoid it.
Thanks
That is by design, as long as the service is not deployed to a VNET (internal mode), the default and custom domains will always have public Azure DNS records pointing to the public IP address.
The solution here is to deploy your service to a VNET (internal mode) and expose the public Apis to the internet using an application gateway that is configured to use path-based routing with your public domain to be configured to point to the application gateway public IP address. Regarding your internal Apis you can configure your private domain to be pointing to the internal IP address (private load balancer) of the APIM service.
See the below resources
https://learn.microsoft.com/en-us/azure/application-gateway/create-url-route-portal
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

Azure App service not accessible with private endpoint within APIM/VM

I have configured my app serivce to be part of a subnet within a VNET.
Now i have integrated my app service with a private endpoint within the same VNET.
With the private endpoint integration, i'm now not able to access the app service (i.e. my API) on a public internet, where i'm getting 403 forbidden error. Which is an expected behaviour to restrict the access on the public network
But the issue is, i want to expose this API via APIM (which is internal) configured within a separate subnet in the same VNET, but i'm not not access the API now with the private endpoint IP address. I was hoping that the resources with in the VNET will be able to reach the App service using its private IP address
I also tried to configure a VM in a separate subnet with in the same VNET, but when i ping the API private IP from the VM, i'm getting request timedout.
Current there have not been any rules setup with NSG to restrict the subnets to talk between each other.
Please let me know how to expose the API with private endpoint via APIM which is also configured to be only internal
You also need to configure private dns zone as now your app's FQDN needs to be resolved to the private IP, instead of a public one.
https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell
Update:
Just want to add that app service cannot be accessed via the IP as it is assigned to the app service plan, which can be shared by other app services. The FQDN is required for app service plan to do L7 routing

Connecting two App Services within the same VNet

I have two NodeJS App Services.
They can connect to each other with no problem using the URL which is created for App Services by default. (That is through the public internet.)
Then I successfully enabled VNet Integration for both App Services, and assigned the same VNet and also subnet two both of them.
How should I modify the connection URL now to connect to appservice2 from appservice1 (without using the URLs which are publicly available on the internet)?
I could not find any host name or IP address information in Azure Portal using which I could have successfully established the connection.
Thanks for any suggestions!
When you want two app services to connect to each other over a private network, there are generally two steps you have to take to set this up correctly. Note that the app service URL will always stay the same, it is only the networking part that changes.
Both app services should have vnet integration enabled, which allows the app service to route its traffic through the vnet.
If you want others (e.g. another app service) to connect to an app service via a vnet you can choose between:
a) Service endpoints
b) Private endpoints
Reading your question, I assume you completed the first step correctly. But you have to complete either step 2a or 2b to get this to work properly. I would recommend you choose service endpoints because they are more straightforward than working with private endpoints. Below you'll find a detailed description and considerations for every step.
1. Vnet Integration
The subnet you use as an integration subnet has to be a dedicated subnet. This means it is only used for vnet integration.
Only one app service plan can be used with this dedicated subnet, this one app service plan may include multiple app services.
If there is a network security group attached to that subnet, it needs to allow outbound traffic.
If there is an azure firewall attached to your vnet and you want to make a call to a public endpoint, it should allow outbound traffic.
Vnet route all should be enabled if you want all the outbound traffic to travel over the vnet.
If you want to read more, I would recommend reading this documentation.
Here is a simple example of how you would create vnet integration by selecting the dedicated subnet:
Service Endpoints
Service endpoints allow you to lock down inbound access to your app so that the source address must come from a set of subnets that you select.
Service endpoints are automatically provisioned by azure when you enable access restrictions to the app service.
This is a much simpler alternative to private endpoints.
Does not work in large-scale networks where you want to connect from an on-prem network to an azure vnet.
You may turn to this documentation to read about all the features and limitations of service endpoints.
Here is an example of how you would enable services endpoints for your app service by creating an access restriction:
Private Endpoints
Private endpoints also need a subnet, but you can connect as many private endpoints to the subnet as there are IP addresses available.
When you use private endpoints, you also need to have a private DNS zone. Otherwise, the app service URL does not resolve correctly to an IP address.
Private endpoints are more complex than service endpoints because of the extra subnet and DNS requirements.
Here is a nice tutorial that let's you set up an app service with private endpoint.
The following example shows you how to create a private endpoint for your app service. You have the option to let azure create a private DNS zone automatically, or you can do this manually:
If you want to access app services without public internet, then enabling VNET integration in those services alone won't be enough. You need to create a private endpoint that provides the IP from the virtual network to access the app service internally within the VNET and it also disables public access to the app service over the internet. Also please be aware that the private endpoint implementation will have some cost implications as well.
If your requirement is just to establish a secure connection between your virtual network & app service and to avoid access over the public internet, a service endpoint is the simplest solution. If you also need to access the app service from on-premises through an express route or Azure Gateway, a regionally peered virtual network, or a globally peered virtual network, Private Endpoint is the solution.
Steps to set up a service endpoint are detailed in the provisioning service endpoint link
Steps to set up a private endpoint are detailed in the connect to the web app using private endpoint link
Also if you want to deep dive into private endpoint configuration for app service, I would recommend you to read through the following tutorial

Azure How can I call internal API Management service by private IP inside VNET

I created VNET in Azure. I put in one subset internal API Management which call Azure Function outside of the VNET and in another one Virtual machine. When I tried to call API Management I got a 503 exception. And if I try to ping private IP from the VM it doest work.
The other solution was to create Azure private link but in this case, I got the info by the link but did not be able to ping or call by private IP(got 400)
My solution was to run the web app instead of the AF in the VM because VM can be easily called by private IP in VNET.
How can I call API Management and other azure services(Azure private link) by private API?
From the official document,
API Management service does not listen to requests coming from IP
addresses. It only responds to requests to the hostname configured on
its service endpoints. These endpoints include gateway, the Azure
portal and the Developer portal, direct management endpoint, and Git.
You only could access API management service via hostname instead of private IP in an internal mode API Management. For this mode, you have to manage your own routing. If you use a custom DNS server in a virtual network, you can also create A DNS records and access these endpoints from anywhere in your virtual network.

Resources