I am currently trying to use an Azure function to connect to some on-premiseS API endpoints. Currently for reasons I cannot go into I am attempting to use the IP address for the endpoints in the Hybrid Connection. For some odd reason I cannot connect to that IP address. I have checked our Firewall Logs, LB, and the HCM box on-premises event logs. None of these show any kind of attempt at connection. Anyone have any ideas?
I can think of couple of ways to achieve this :
Create a VPN connection and Integrate a Function App with an Azure Virtual Network
you can consider this path : On-premise ----> s2s ( Site to Site) VPN ----> VNet ----> function in a subnet of VNet.
You may follow : https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Check Azure Service Bus relay
For reference :
https://www.stefanroth.net/2019/01/13/azure-functions-azure-functions-using-hybrid-connections/
https://yourazurecoach.com/2017/09/26/azure-function-proxies-part-2-easily-enable-hybrid-integration/
However, if if you need assistance for application specific issue, you may consider reaching out to Microsoft Support.
Related
Here is my scenario: My Database is on MongoDB Atlas. I need to access Atlas from Azure Function(Dynamic/Consumption Plan) and App Service. In doing so, I am facing A timeout issue. I know, this is because I have to whitelist outbound IP addresses of Azure Function and App Service Plan in Atlas. But Azure Function(with Consumption Plan) and App Service update their outbound IP addresses during the autoscaling process. Now there are 2 solutions I can think of:
Whitelist all the IP addresses of an Azure Region/Zone. But this is
not an ideal approach, as a single Zone may have
many(500~1000 or more) IP addresses.
Using the VPC peering. I guess we may connect Azure and Atlas through VNET. However, to do that, I need to connect the Azure function and App Service to Vnet first. The problem is VNET Integration with these services is a very expensive approach.
So my question is what other options do I have? Is there any way to connect them using some managed identity or Authentication/Authorization approach using Azure AD or something like that? Is Federated Authentication fits for such a case?
You can use App Service Environment
App Service Environments use dedicated network infrastructures, so
apps running in an App Service environment get static, dedicated IP
addresses both for inbound and outbound connections.
See: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
Another solution would be to place your app behind a Firewall and give the firewall a static IP address.
We have three App Services in Azure (API1, API2, API3).
API2 is getting data from CosmosDB.
API3 is getting data from other CosmosDB.
Main API1 calls API2 to get some data. Then using this data calls API3.
We have poor performance of API1 and we are trying to figure out why. We noticed that there are too many connections in metrics. Also we have issue with SNAT ports.
We tried to setup these APIs to the same VNet but it doesn't help and we are not sure how to set up it correctly.
Do you have any idea what we should setup?
UPDATE:
Seems like VNet helped us with SNAT ports issue but performance of API was still very poor.
What really helped us was change from Windows to Linux. When all APIs runs on the Linux servers we don't see any connections anymore.
Not sure what's specific configurations about three APIs on your side. If you want to use IP from Vnet instead of an external one, you can use a separate environment ASE.
Alternatively, you can use a private link to the app service. By using Private Endpoint, you can connect privately to your web app. Read Connect privately to a web app by using Azure Private Endpoint (Preview).
Today, you can secure this connection using VNet service endpoints
which keep the traffic within the Microsoft backbone network and allow
the PaaS resource to be locked down to just your VNet. However, the
PaaS endpoint is still served over a public IP address and therefore
not reachable from on-premises through Azure ExpressRoute private
peering or VPN gateway. With today’s announcement of Azure Private
Link, you can simply create a private endpoint in your VNet and map it
to your PaaS resource (Your Azure Storage account blob or SQL Database
server). These resources are then accessible over a private IP address
in your VNet, enabling connectivity from on-premises through Azure
ExpressRoute private peering and/or VPN gateway and keep the network
configuration simple by not opening it up to public IP addresses.
For more information, you could read here.
I was trying to connect my Azure webapp(paas) to my VM in another VNET - I could get this working by doing a VNET integration following the instructions https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
I could now connect to the VMs in the destination VNET however the Webapp is now unable to connect with the Azure SQL(PaaS) . Is it not that webapp should continue to access the PaaS resources as before or do I need to update any configuration to get this connectivity.
Edit: I was able to get this working with a VPN(Route based) and with a VPN GW and P2S connection.
However for some reason I do not get this working with my existing VPN which is also a route based but has a Azure SSL VPN SSTP. Can this cause some connection issue to Azure SQL ?
Appreciate your response
PS: I do not want to use ASE specifically as the need is very limited and cost for going to ASE is high for this use case.
We have an Azure WebJob running on an App Service connected to a vNET via Point-to-Site connection.
That same vNET is then connected to the on-premise network via a Site-to-Site VPN connection.
Routing is set up so to the Site-to-Site conn so that that the IP range of the Azure vNET (172.27.0.0/24) is sent from OnPrem > Azure. This can be tested by logging in to a VM inside of the vNET to query on premise resources - this works fine, and as expected.
If the same request (to a REST API) is sent from the WebJob, things do not work.
The IP range of the Point-to-Site (172.27.1.144/28) does not intersect with that of the vNET, so i am wondering if we need to also route this range "back across" the Site-to-Site connection also?
Another alternative is that a routing table within Azure needs to have a manual entry, somehow?
Any tips on how to troubleshoot / get this working would be much appreciated.
The IP range of the Point-to-Site (172.27.1.144/28) does not intersect
with that of the vNET, so i am wondering if we need to also route this
range "back across" the Site-to-Site connection also?
You need to do that, indeed. Not only that, you need to configure this network range (172.27.1.144/28) on your on-premises router too - so it recognises and accepts the traffic.
But in order to make the routing from the Point-to-Site (Azure app service) to the on-premise over the Site-to-Site VPN Connection, you will need to use a Virtual Appliance which is capable of forwarding the traffic.
For sake of simplicity and cost savings, you could just use Azure Hybrid Connections to connect Azure Web App / Web Job to on-premise Resource.
You can also refer to the documentation here, which lists the limitations of connecting App Service Plan to a Virtual Network, namely:
There are some things that VNET Integration does not support
including:
mounting a drive
AD integration
NetBios
private site access
Please note the last one - private site access - this is your on-premises.
We are going to work on Azure BizTalk Service + Service Bus Integration for one of our customer. I am exploring those two concepts. but in the mean time, I have also noticed, there is concept of "Site-To-Site" VPN connection" to establish Cloud to On-primes Network.
Can you please let me know in which scenario we need to choose Site-to-Site VPN connection?
Thanks,
Vinoth
You would establish a site-to-site VPN when you want to connect your Azure subscription to your on-premises data center. It could be that your BizTalk or even Service Bus infrastructure is hosted on-premises and you need to connect to it to provide functionality to your cloud service.
We would also use a S2S VPN connection when hosting virtual machines in Azure and want to connect them to networks on-premises. This would let users access these services over our own private network.