We have an Azure web app that we use for dev\testing. I noticed in Application Insights that it is getting pinged like 500-700 times per minute. I tried blocking the IP in Networking and of course being no network expert didn't realize it will just keep rolling to the next one.
Question 1 is - How do I block by group of IP's used?
Question 2 if that doesn't work - How do I block the "U.K." as I only need in the US currently for dev\testing. I prefer question one so that I can use for my prod. version also and as needed.
Blocking arbitrary IP ranges brings you nowhere. If you really want to restrict access to your test environments on the network level, I suggest defining allowed IP ranges and blocking the rest of the internet. That can be done in the portal, using PS like HariKrishnaRajoli-MT showed or preferably with IaC like Bicep or Terraform.
If you want to have some dynamic blocking (like country-based), you'll need a component in front of your App Service like an Azure App GW with WAF. However, that has some notable costs included.
Lastly, why is pinging an issue? It does not cause any significant stress to the service. If you want to protect your service from outside access, you should enable some authentication. Azure App Service provides an easy way of enabling authentication and authorization with different identity providers.
Question 1 is - How do I block by group of IP's used?
Create a new text file and store all the IP Addresses which you want to allow or block and each separated with a Comma (,) as shown below:
Paste this code in an PowerShell File to read the above text file:
Param``(
[``Parameter``(``Mandatory = $true``)]
[string] $ResourceGroupName``,
[``Parameter``(``Mandatory = $true``)]
[string] $WebAppName``,
[``Parameter``(``Mandatory = $true``)]
[string] $IPAddressSourceFileName
)
#Step1 - Get All IP Addresses from the File
$SourceIPAddresses = (``Get-Content $IPAddressSourceFileName``).Trim() | ConvertFrom-Csv
#Step2 - Get All existing IP Addresses from the Config of App Service
$APIVersion = ((``Get-AzResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
$config = (``Get-AzResource -ResourceType Microsoft.Web/sites/config -Name $WebAppName -ResourceGroupName $ResourceGroupName -ApiVersion $APIVersion``)
#Step3 - Prepare the new IP Addresses list from that IPAddressList file and collect all the new ones into the $IpSecurityRestrictions collection
foreach``(``$item in $SourceIPAddresses``){
$Rule``=``$config``.Properties.ipSecurityRestrictions | Where-Object { $_``.ipAddress -eq $item``.IPAddress}
if``(``$null -ne $Rule``)
{
Write-Host -ForegroundColor Green 'No Action on the IP:' $item``.ipAddress
}
else
{
$config``.Properties.ipSecurityRestrictions+=``$item
}
}
#Step4 - Finally update the new IP Addresses to Azure App Service
Set-AzResource -ResourceId $config``.ResourceId -Properties $config``.Properties -ApiVersion $APIVersion -Force
Run the above PowerShell Script from VS Code > Terminal > Run this following command:
.\ReadIPAddresses.ps1 azdevops-rg-eus-dev azuredevops-wapp1-eus-dev IPAddresses.txt
After running this command, you can see all the IP Addresses will be added to the Access Restrictions blade as shown here:
Related
I have hostname/machine name from logs. I want to know what service is running that. is there any way I can backtrack service name by hostname/machine name?
I tried to search for all queries, tried kudu but can see hostname for the service I select. cant reverse search it
After I've done workaround, there is no direct command to get azure app service with hostname, but I found an alternative to get App Service details with hostnames by using:
Get-Azurermwebapp command with the respective resource group name.
With Get-Azurermwebapp command, Direct hostname retrieval is not supported via a parameter. To do that, I gave the information to a variable and used it to retrieve.
get-azurermwebapp -ResourceGroupName <ResourceGroupName>
$info = get-azurermwebapp -ResourceGroupName <ResourceGroupName> #Storing in info variable
$info.name #retrieving Azure App service names
$hostname = $info.enabledhostnames #retrieve enabledhostnames by passing info to $hostname
$hostname
Note: If you need to view all services operating inside any AzureVM, together with their status, Use Get-service:
get-service -computername <VMName>
Refer MsDoc
I'm trying to set up a rule in my Azure Application Gateway which applies a longer timeout limit on certain requests to allow a service to serve requests/data without a timeout.
The rule is configured with path-based routing so it should only kick in if requests contain a specific path prefix.
I believe that my rule is not being executed however, because it sits lower down in the list of rules from the more general rule.
Is there a way to set the priority within the Azure Portal, or can this only be done when managing this configuration via power shell scripts?
At this moment in time you can't set rule priority through the Azure Portal for an existing Application Gateway. You will need to set a priority on all of your existing rules through Powershell/Azure CLI, then you will be able to manage them through the portal. Note that this only applies to Application Gateway V2.
In order to do that, you can loop over all your existing rules and set them a unique priority between 1 and 20000 (1 = highest priority, 20000=lowest priority). Here's an example of such Powershell script:
Connect-AzAccount -Tenant 'TENANT-GUID-HERE'
$AppGW = Get-AzApplicationGateway -Name "APP-GATEWAY-NAME-HERE" -ResourceGroupName "RESSOURCE-GROUP-HERE"
$Rules = Get-AzApplicationGatewayRequestRoutingRule -ApplicationGateway $AppGW
$i = 1000
foreach ($Rule in $Rules) {
$Rule.Priority = $i
$i++
}
Set-AzApplicationGateway -ApplicationGateway $AppGw
Then, if the script succeeds, you will now be able to manage rules priorities on the Portal (look for the "Priority" textbox while adding or modifying a rule).
I have a web application in azure and I want to make sure that only my build server (or any other VM on the same subnet) are the only ones which are able to access the SCM site. I thought the most obvious thing would be to create an access restriction rule and in fact that works, I am able to create it from the portal with no issue whatsoever.
The problem, however, happens when I try to automate this using powershell. My build server subnet is located on a subscription different from the one where my web application is.
I am executing the following powershell script:
$subnetId = "/subscriptions/$VNETSubscriptionId/resourceGroups/$VNETResourceGroup/providers/Microsoft.Network/virtualNetworks/$buildServerVNET/subnets/$buildServerSubNet"
Add-AzWebAppAccessRestrictionRule -ResourceGroup $webAppRg -WebAppName $webAppname -Name VNETAccess -Priority 1000 -Action Allow -SubnetId $subnetId
And I get the following error:
Add-AzWebAppAccessRestrictionRule : The client '{{my user credential}}' with object id '81fa4eb1-5553-4daa-af44-3c717b19eda2' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/{{websiteSubscriptionId}}/resour
ceGroups/{{VNETResourceGroup}}/providers/Microsoft.Network/virtualNetworks/{{buildServerVNET}}/subnets/{{buildServerSubNet}}' or
the scope is invalid. If access was recently granted, please refresh your credentials.
The error seems to indicate that the cmdlet is searching for the subnet on the same subscription id than the website instead of the subscription where the subnet is located, since the resourceId string that is being returned on the error messsage has the wrong subscription Id. It is using the one where the website is instead of using the one where the build server is.
What else needs to be done in order to create this rule through powershell?
The error message is confused.
In fact, after my validation, you need to add the -IgnoreMissingServiceEndpoint parameter when adding a subnet from a different subscription. Read this GitHub case WebApp:Add-AzWebAppAccessRestrictionRule.md - incorrect use of subscription context over SubnetId param
When using a subnet from a different subscription, we cannot validate
the subnet to see if the correct service endpoint (Microsoft.Web) has
been set. If you use -IgnoreMissingServiceEndpoint the rule can be
added.
I would like to be able to route traffic from the "production" Slot to a different slot in Azure via powershell. How could I go about this that does not use RampUpRules?
We have an application in Azure currently with 3 slots (the production slot and 2 additional slots) and via a release pipeline we would like to automatically route all traffic to one of those two slots.
I have found that a "RampUpRule" can achieve this (shown in the code snippet), but it does so via the x-ms-routing-name cookie based on the given rule. I also know that the slot traffic can be done via the Deployment Slots UI on the app service but would like to automate this (if possible).
I have been unable to find a way of doing it using the existing Az cmdlets myself so far - so I was wondering if anyone knew of a way to do this.
$appName = "myapp"
$appService = Get-AzWebApp -Name $appName
$appConfig = $appService.SiteConfig
$rulesList = New-Object -TypeName System.Collections.Generic.List[Microsoft.Azure.Management.WebSites.Models.RampUpRule]
$rule = New-Object -TypeName Microsoft.Azure.Management.WebSites.Models.RampUpRule
$rule.Name = "LiveTraffic"
$rule.ActionHostName = "myapp-staging.azurewebsites.net"
$rule.ReroutePercentage = 100
$rulesList.Add($rule)
$appConfig.Experiments.RampUpRules = $rulesList
Set-AzWebApp -WebApp $appService
The RampUpRules achieve what we would like, but I am not sure if it being done via the set cookie is going to be acceptable.
Your script seems works. If you set the ReroutePercentage of the staging slot with 100, your users will be routed to the staging slot automatically, because the routing percentage of production is set to 0. Unless you provide a link with x-ms-routing-name=self like Go back to production app.
For more details, you could refer to this link.
For monitor reasons I need to retrieve the hostname of each virtual machine.
I used the nice resource "Resource graph" in Azure Dashboard with following query.
project VMnaam = name,
location,
resourceGroup,
subscriptionId,
vmsize = properties.hardwareProfile.vmSize,
VMtype = properties.storageProfile.imageReference.offer,
diskSizeInGB = properties.storageProfile.osDisk.diskSizeGB,
OStype = properties.storageProfile.osDisk.osType,
adminUsername = properties.osProfile.adminUsername,
hostname = properties.osProfile.computerName,
type
| where type == "microsoft.compute/virtualmachines"
which gives me a nice overview of every virtual machine. But something got my attention in the results.
the hostname (properties.osProfile.computerName) is the same name as the VMname.
Inside the VM I have checked this and controlled that this is indeed correct so I wanted to check what happens if I change the hostname in my VM.
In my linux VM I changed the hostname rebooted the machine and the new hostname is available in the terminal.
Through Azure Resourc Graph however The change is not visible;
If I manually retrieve the computername with powershell with following powershell code:
Login-AzAccount -Subscription "mysub"
$vm = get-azvm -ResourceGroupName "myrg" -Name "myvm"
$vm.OSProfile.ComputerName
I also see the first value of my hostname that was initially setup by Azure but not the new hostname that I changed.
Is it not possible to retrieve a changed hostname from Azure? Does it take a while? Is there any other way to retrieve the hostname from Azure?
no, it is not possible, azure is not aware of the actual hostname in the vm.
Also the fact that vmname and hostname match is just a coincidence (or rather a default from Azure). If you provision a vm through API you have the ability to set hostname when provisioning and it doesn't have to match vm name (although, it usually makes sense if it does).
edit: according to woter324 recent update seem to have fixed this and now Azure is aware of the actual vm hostname (confirmed for windows)
(az vm list | ConvertFrom-Json).osProfile.computerName