I'm having issues with Russian IP addresses trying to access various areas of my website, that do not exist. I have been hacked before with Ramsonware on AWS. How can I restrict my Azure traffic to just IP addresses in the US?
thx in advance.
You'll need to add a Web Application Firewall (WAF) in front of your web app. You can either use Azure Front Door or Azure Application Gateway and enable WAF, then you just need to setup the geomatch custom rule (which is currently in preview).
More info:
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/geomatch-custom-rules
Related
Question: How do I host an endpoint in azure which allows me to redirect internet traffic at will between azure and aws services?
I am hosting two kubernetes clusters - one in Azure and the other in AWS. I want to be able to:
1. redirect the traffic at will to either aws or azure, whilst retaining the public dns endpoint.
2. fail over manually [and pref automatically too] to the aws cluster. What is the best way to host the endpoint in azure?
Requirements:
The traffic needs to be redirected immediately - no caching issues and stale loads!
Ability to configure failover - i.e. specify that Azure is hot and AWS is the failover service - the traffic should be automatically redirected as soon as Azure goes down.
I have looked at Traffic Manager, Load Balancers and Application Gateway. Not sure which one (if any) of these is best.
traffic manager wont work for you, since its a dns service, so caching will happen (admittedly its the best solution if you set dns cache to 5 seconds or something). application gateway allows you to specify an ip address as an endpoint, load balancers only work when attached to vms inside azure. But application gateways dont allow to failover at will. you would need to block the probe to failover.
Azure Front Door might be the solution for you (like the other answer mentions)
You can have a look into Azure Front Door Service for your usecase.
Look into this https://learn.microsoft.com/en-gb/azure/frontdoor/front-door-overview
I have to restrict public access to my Azure app service, Hence I have implemented IP whitelist in web config. Is it required to whitelist the Azure datacenter IP ranges?
My app service uses Azure SQL, redis and search service.
Short answer to your question is no, you will not need to add Azure data center IP addresses for using Azure services. Only case where you need to add IP addresses to the allow list is when a service/application tries to access your web application and not the other way round.
Given your objective to restrict public access, you should definitely consider using the IP restrictions feature from Azure Portal. Microsoft has improved this feature and it's better than having just the web.config <ipsecurity> configuration,
With Azure App Service IP restrictions, traffic will blocked even
before it reaches your IIS.
You can still continue to use your web.config configuration as it is.
Configuration effort is pretty minimal as it's all available through portal
Read more about it here
Azure App Service Static IP Restrictions
For a time, the IP Restrictions capability in the portal was a layer
on top of the ipSecurity capability in IIS. The current IP
Restrictions capability is different. You can still configure
ipSecurity within your application web.config but the front-end based
IP Restrictions rules will be applied before any traffic reaches IIS.
I have created an App Service Environment and have multiple web app and web API associated with it. I want to achieve an arrangement where only my App service has access to the API, so trying to block traffic to the API using IP Restriction. But all the Web Apps as well as the web API has the same VIP and i cant find any other IP address associated with it.
Also to attach the NSG to the subnet(in which ASE is there), we need to add rules which again need specific IP. How can I achieve this?
I assume you have provisioned external ASE.
"App Service has the ability to allocate a dedicated IP address to an app. This capability is available after you configure an IP-based SSL"
So, you can limit the access to some of your apps inside the ASE by using App-assigned IP-based SSL addresses (Only possible with an External ASE and when IP-based SSL is configured).
When you provision your ASE, you can select how many external IP addresses the system should have including those for IP-based SSL purposes.
please see: https://learn.microsoft.com/en-us/azure/app-service/environment/using-an-ase#ip-addresses and slide nr.14 here https://8gportalvhdsf9v440s15hrt.blob.core.windows.net/ignite2017/session-presentations/BRK3204.PPTX
I have a bunch of REST services running in a VM in azure. I'd like to consume them from azure websites in a secure way. I.e. I don't want these services to be accessible from anywhere other than the azure websites.
Is it possible put this limitation? I know that I can limit access to the endpoints by providing IP address ranges but websites don't have fixed IP addresses.
thanks
If you set an unique IP can do it. But remember what the static IP are not available in all web hosting plans.
I'm working on azure project and came across Azure Traffic Manager. Could someone please help me few question below:
Is Traffic Manager same as load balancer?
Do we need to create Traffic Manager manually or created automatically on webrole deploy.
How do I configure Traffic Manager with new Azure Mgt. Portal?
What is the main purpose of Poll State, as it says offline but I can still access using trafic manager url.
When we get proper CNAME, should CNAME point to this Traffic manager or url provided on Cloud Service > Dashboard?
Thanks.
Is Traffic Manager same as load balancer?
It can be used for failover or load balancing, although only in a round robin way.
Have a look here.
https://azure.microsoft.com/en-us/documentation/articles/traffic-manager-overview/
Do we need to create Traffic Manager manually or created automatically on webrole deploy.
You need to create it manually.
How do I configure Traffic Manager with new Azure Mgt. Portal?
Currently I believe you can only do it in the old portal.
What is the main purpose of Poll State, as it says offline but I can still access using trafic manager url.
Again easier to read this.
https://azure.microsoft.com/en-us/documentation/articles/traffic-manager-overview/
When we get proper CNAME, should CNAME point to this Traffic manager or url provided on Cloud Service > Dashboard?
If you want to use traffic manager to manage the traffic you point your CName to the traffic manager url.