Azure web app access restrictions to application gateway - azure

I am using a V1 WAF application gateway (dynamic IP) in front of a web app.
When i configure the web app access restrictions to Allow the application gateway i received a when i tryu to access the web app url (expected behavior). However, i also received a 403 when accessing throught the app gateway url (not expected !). i have try a rule to allow the app gateway ip and also a rule allowing the app gateway vnet (service endpoint) with both same result. Any idea why its not working ? Thx!

I suggest you to know about this topic. you are probably getting a VPC error.
https://azure.microsoft.com/en-us/services/virtual-network/#overview

Related

Azure App service restrictions not working

I have the following setup on azure:
1 app service for .NET backend
1 app service for angular frontend with a custom domain
1 SQL server
I created a virtual network, I added 2 subnets for frontend and backend.I assigned these subnets to application services.
I would like to allow only the frontend to access my backend but my frontend receives 403 from my backend.
I created Access Restrictions that allow only inbound connection from the subnet, or IP but my frontend receives 403 when is trying to access it. What could be the problem?
As you are getting 403 which implies forbidden, so looked like an access issue here.
As per the official documentation, you may need to provide permissions as well to the subnet or at a higher level.

How to manage cookies when app service is running behind the application gateway?

In my ASP.Net Core application, I am using the OpenId Connect authentication scheme with the Azure AD.
The application is hosted on to Azure app service and it is running behind the application gateway of the Azure.
I have configured Application gateway's and app service URL in the Azure AD's reply URL configurations where I registered my application.
When I hit the application gateway's URL it redirects me for the authentication, then I log in using Azure AD Microsft credentials then after successful login it redirects me to Application gateway URL, then I get 500 internal server error, when I check the response header I can see that SetCookie header's domain is the App service URL which is running behind the application gateway and it shows me warning as "This Set-Cookie was blocked because its Domain attribute is invalid with regards to the current host URL"
Any idea how to resolve this issue
Many thanks

Azure app service - how do I whitelist an endpoint (not IP address)

I have Azure app service (Web API) and have restricted access to everyone and allowed access by Ipaddress using access restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions)
I want to allow a particular domain/endpoint access to the API doesn't matter which IP address they are coming from. Is there any way possible to do it.
Unfortunately, It's impossible to whitelist a particular domain/endpoint to the Azure app service using access restrictions as essentially the domain name will be resolved to a real IP address via DNS when the client access the web API in the Azure app service.
Not sure why you want to only allow a particular domain. Perhaps, you just want to map a custom domain to Azure App Service. Then you can access the web API using your multiple custom domain URLs.
Furthermore, optionally, you could apply an Application gateway in front of your web API, then you could access your backend web API using a custom domain URL or Application gateway URL. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example, URI path or host headers. Also, you could whitelist the Application gateway frontends in your app service access restrictions. See Configure App Service with Application Gateway for more details.
I hope it's helpful for you.

Azure Application Gateway with App Service Web App

I have created an application gateway with WAF (default detection mode) in an Azure Resource Group (no ASE) with an App Service Web App backendPool member/target MS link (followed instructions to the letter both via the Azure Portal and via PowerShell).
Im not using any custom domains, just the basic config with my backendPool member being an Azure Web App ie mywebapp.azurewebsites.net (Web App is a basic ASP.NET test site which runs fine on its .azurewebsites.net address).
MS application gateway documentation states they now support App Services as backendPool targets (FQDN/which I use).
My basic httpSettings, basic listener and rule are all setup correctly as far as Im aware (HTTP port 80.
So in essence my app gateway should listen on port 80 of the public IP attached to it and forward any incoming requests to the backendPool member (Web App).
But when I try to access the gateways public IP (or DNS address) I keep getting an 'Azure 404 Web Site not found.' page/error.
Strangely if I stop the Web App from the Azure portal I get a 502/bad gateway error until I restart the Web App where the 404 page returns.
I dont know if Im missing anything here? Does anyone have any suggestions at all? I cannot seem to get this working.
You probably are missing a couple of configuration elements. Backend http settings should require 'PickHostNameFromBackendAddress' flag. You should also use a custom probe which has 'PickHostNameFromBackendHttpSettings' flag set. The end to end PowerShell documentation is at link which details your scenario.

Azure load balancing configuration with App Services

What am I trying to do
I have to azure apps deployed as App services. To make rest post easy let's call them "blog" and "landing_page". Both of them are hosted, so they URL are blog.azurewebsites.net and landing_page.azurewebsites.net.
I want to configure "something" in Azure with following rules:
if user access http://mydomain/ - content of landing_page.azurewebsites.net
if user access http://mydomain/blog - content of blog.azurewebsites.net
What I tried
After reading documentation, I have to reject Traffic Manager because it works on DNS level. From the other two I decided to use Application Gateway, because it should work on eny Endpoint (Any Azure internal IP address, public internet IP address, Azure VM, or Azure Cloud Service).
I configured my Application Gateway setting backend to: landing_page.azurewebsites.net. But in "Backend health" the app status is unhealthy. I tried also:
blog.azurewebsites.net - unhealthy
www.wp.pl (polish news portal) - is working
gazeta.pl (polish news portal) - is working
stapp.space (my blog) - this is same as piotrstapp.azurewebsites.net and status is unhealthy
Question :)
What did I wrong? Maybe should I use something else on Azure? Or am I missing something?
Make sure that custom probes is turned on and configured in the HTTP settings of the WAF for your site. If you don't the Application Gateway will try to go to the IP of the App Service Environment without passing a Host header, which won't work and will throw the probe into an unhealthy state resulting in a "502 Gateway Proxy" error.
There is a great article here
You may want to check out Azure's application gateway path-based rules function:
Create a path-based rule for an application gateway by using the Azure portal

Resources