Integrating App Service with NAT gateway to get static outbound IP - azure

Firstly, I integrate VNET with Azure App Service
In order to route traffic to VNet, I add WEBSITE_VNET_ROUTE_ALL with value 1 in App service settings.
I created NATgateway and attached it to the subnet.
I also created a route and attached it to the subnet in that route, I gave the address prefix as VNET address space and for the Next hop type I selected virtual appliance and in Next hop address I add NAT gateway public IP.
Note: I used the below link for reference:
https://sakaldeep.com.np/1159/azure-nat-gateway-and-web-app-vnet-integration-to-get-static-outbound-ip
after doing all above steps and I checked with below command I didn't get NAT gateway IP as result
az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv

Azure App Service is a multi-tenant service. All App Service plans in the same deployment unit, and app instances that run in them, share the same set of virtual IP addresses. When you run
az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv
you just get the Outbound IP Addresses Properties of your web app. You can find all possible outbound IP addresses for your app, regardless of pricing tiers, click Properties in your app's left-hand navigation. They are listed in the Additional Outbound IP Addresses field. The above outbound IP addresses will not change.
But if you send a request from your web app within a VNet over the internet, you should find the NAT gateway IP as the source.
For example, you could try to find the public IP from SSH (Linux app service) with
the command.
curl ipinfo.io/ip

Related

How to configure subnet with azure privateendpoints to permit microsoft hosted agents access

I have a pipeline deploying in a WebApp without problem, but I need activate a PrivateEnpoint to restrict access to this WebApp.
I did it, but with the PrivateEndpoint enabled the Microsoft Hosted Agents do not connect with the WebApp, then my pipeline fail.
Then:
I created a NSG with allow rule to permit traffic to my subnet (Same subnet with the PrivateEndpoint)
I associated the NSG with my subnet.
I disabled networking rules of privateendpoint in my subnet with az cli:
az network vnet subnet update --name <subnet-name> --resource-group <rg-name> --vnet-name <vnet-name>--disable-private-**link**-service-network-policies true
And,
az network vnet subnet update --name <subnet-name> --resource-group <rg-name> --vnet-name <vnet-name> --disable-private-**endpoint**-service-network-policies true
In my powershell script, I catch the agent IP and make an upgrade of NSG to permit this source to my subnet.
But, nothing!
The Microsoft Hosted Agents do not connect with the webapp.
For Kudu REST API (deployment with Azure DevOps self-hosted agent), you must create two records pointing to the Private Endpoint IP in your Azure DNS private zone or your custom DNS server. The first is for your Web App, the second is for the SCM of your Web App.
Name | Type | Value | Checkout this doc: private-endpoint#dns
mywebapp.privatelink.azurewebsites.net | A | PrivateEndpointIP |
mywebapp.scm.privatelink.azurewebsites.net | A | PrivateEndpointIP |
Additionally, just to highlight- Private Endpoint is only used for incoming flows to your Web App. Outgoing flows won't use this Private Endpoint. You can inject outgoing flows to your network in a different subnet through the VNet integration feature.
Note that the VNet integration feature cannot use the same subnet as Private Endpoint, this is a limitation of the VNet integration feature.Kindly check this doc for additional info.

Outbound IP address Azure API Management

Scenario: I have Pay-As-You-Go instance of Azure API Management created. In that, as APIs, I have imported Azure Functions App. Azure Functions app is on Consumption Plan as well. These azure functions are calling some external APIs and getting data. I return data as is from these functions.
Issue: To get data from external APIs, I need to get my IP address whitelisted.
My calling pattern is APIM => Azure Function => External API. I am hitting APIM endpoint from my UI to get data. I have not exposed azure functions endpoint to UI.
Issue is what IP should be whitelisted to get the data ?
Options Tried:
I got the APIM virtual address(public) whitelisted, but that didn't work.
I added logs to my each function to log outbound IP address (using ipconfig.me). This is giving me different IP address then that of APIM public IP.
My confusion is, if I have imported these functions to APIM, then my outbound IP address should be of APIM and not of functions, right ? or my understanding is wrong here ?
It will be really helpful if someone can help with this scenario.
We need to get our IP whitelisted so that we can get data. For that changes to infra can be done, even if we need to switch to premium plans.
In your case APIM works as a gateway to your system, so you would use outbound IP address for APIM for IP restrictions configured on Azure Functions level. This would secure access to Functions and limit it to only APIM.
As you need to secure External API, which is accessed via Azure Functions, you need to check outbound IP for your App Service Plan(whether it's Consumption or not). The scenario you were trying would work only if outbound traffic is sent via some kind of gateway (see - https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-nat-gateway)
Without a gateway, outbound IP can be checked with the following commands:
az functionapp show --resource-group <GROUP_NAME> --name <APP_NAME> --query outboundIpAddresses --output tsv
az functionapp show --resource-group <GROUP_NAME> --name <APP_NAME> --query possibleOutboundIpAddresses --output tsv

how to get hold of the azure kubernetes cluster outbound ip address

we have a basic AKS cluster setup and we need to whitelist this AKS outbound ipadress in one of our services, i scanned the AKS cluster setting in Azure portal, i was not able to find any outbound IpAddress.
how do we get the outboud IP ?
Thanks -Nen
If you are using an AKS cluster with a Standard SKU Load Balancer i.e.
$ az aks show -g $RG -n akstest --query networkProfile.loadBalancerSku -o tsv
Standard
and the outboundType is set to loadBalancer i.e.
$ az aks show -g $RG -n akstest --query networkProfile.outboundType -o tsv
loadBalancer
then you should be able to fetch the outbound IP addresses for the AKS cluster like (mind the capital IP):
$ az aks show -g $RG -n akstest --query networkProfile.loadBalancerProfile.effectiveOutboundIPs[].id
[
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MC_xxxxxx_xxxxxx_xxxxx/providers/Microsoft.Network/publicIPAddresses/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
]
# Using $PUBLIC_IP_RESOURCE_ID obtained from the last step
$ az network public-ip show --ids $PUBLIC_IP_RESOURCE_ID --query ipAddress -o tsv
xxx.xxx.xxx.xxx
For more information please check Use a public Standard Load Balancer in Azure Kubernetes Service (AKS)
If you are using an AKS cluster with a Basic SKU Load Balancer i.e.
$ az aks show -g $RG -n akstest --query networkProfile.loadBalancerSku -o tsv
Basic
and the outboundType is set to loadBalancer i.e.
$ az aks show -g $RG -n akstest --query networkProfile.outboundType -o tsv
loadBalancer
Load Balancer Basic chooses a single frontend to be used for outbound flows when multiple (public) IP frontends are candidates for outbound flows. This selection is not configurable, and you should consider the selection algorithm to be random. This public IP address is only valid for the lifespan of that resource. If you delete the Kubernetes LoadBalancer service, the associated load balancer and IP address are also deleted. If you want to assign a specific IP address or retain an IP address for redeployed Kubernetes services, you can create and use a static public IP address, as #nico-meisenzahl mentioned.
The static IP address works only as long as you have one Service on the AKS cluster (with a Basic Load Balancer). When multiple addresses are configured on the Azure Load Balancer, any of these public IP addresses are a candidate for outbound flows, and one is selected at random. Thus every time a Service gets added, you will have to add that corresponding IP address to the whitelist which isn't very scalable. [Reference]
In the latter case, we would recommend setting outBoundType to userDefinedRouting at the time of AKS cluster creation. If userDefinedRouting is set, AKS won't automatically configure egress paths. The egress setup must be done by you.
The AKS cluster must be deployed into an existing virtual network with a subnet that has been previously configured because when not using standard load balancer (SLB) architecture, you must establish explicit egress. As such, this architecture requires explicitly sending egress traffic to an appliance like a firewall, gateway, proxy or to allow the Network Address Translation (NAT) to be done by a public IP assigned to the standard load balancer or appliance.
Load balancer creation with userDefinedRouting
AKS clusters with an outbound type of UDR receive a standard load balancer (SLB) only when the first Kubernetes service of type 'loadBalancer' is deployed. The load balancer is configured with a public IP address for inbound requests and a backend pool for inbound requests. Inbound rules are configured by the Azure cloud provider, but no outbound public IP address or outbound rules are configured as a result of having an outbound type of UDR. Your UDR will still be the only source for egress traffic.
Azure load balancers don't incur a charge until a rule is placed.
[!! Important: Using outbound type is an advanced networking scenario and requires proper network configuration.]
Here's instructions to Deploy a cluster with outbound type of UDR and Azure Firewall
You can define AKS to route egress traffic via a Load-Balancer (this is also the default behavior). This also helps you to "use" the same outgoing IP with multiple nodes.
More details are available here.

cannot access ACI restful endpoint deployed to VN

I deployed a docker image to an ACR and then to an ACI with a command like this:
az container create
--resource-group myrg
--name myamazingacr
--image myamazingacr.azurecr.io/test3:v1
--cpu 1
--memory 1
--vnet myrg-vnet
--vnet-address-prefix 10.0.0.0/16
--subnet default
--subnet-address-prefix 10.0.0.0/24
--registry-login-server myamazingacr.azurecr.io
--registry-username xxx
--registry-password xxx
--ports 80
This all works without error and the IP of the ACI is 10.0.0.5 and there is no FQDN as it is a VN. I think this makes sense.
When I run the image outside Azure (i.e. on my local machine where I created the image) I can successfully access an endpoint like this:
http://127.0.0.1/plot
http://127.0.0.1/predict_petal_length?petal_width=3
[127.0.0.1] indicates that I run the image on the local machine.
However, this does not work:
http://10.0.0.5/plot
http://10.0.0.5/predict_petal_length?petal_width=3
I get:
This site can’t be reached10.0.0.5 took too long to respond.
What could be wrong please?
PS:
Maybe it is related to this:
https://learn.microsoft.com/en-us/answers/questions/299493/azure-container-instance-does-not-resolve-name-wit.html
I have to say I find Azure really frustrating to work with. Nothing really seems to work. Starting with Azure ML to ACIs ...
PPS:
this is what our IT says - tbh I do not fully understand ...
• Private endpoints are not supported so we need to create a vnet in the resource group peer it to the current dev vnet and we should be good
• We basically need to know how we can create an ACR with the network in an existing vnet in a different resource group. I am struggling to find the correct way to do this.
Since you have deployed your ACI into an Azure virtual network, your containers can communicate securely with other resources in the virtual network. So you could access the ACI endpoint in the Azure vNet.
For example, you can try to deploy a VM in the vNet but in a different subnet than your ACI, then you can try to access the ACI endpoint from the Azure VM.
Alternatively, you can expose a static IP address for a container group by using an application gateway with a public frontend IP address.
The possible reason for your issue is that you set the wrong IP address for your application to listen to. The IP address 127.0.0.1 is a localhost or loopback IP that only can be used inside the machine. Take a look here. So you can try to change the IP into 0.0.0.0. This one is accessible outside.

Determine IP address/es of Azure Container Instances

Is there way to determine outbound IPs specific to Azure Container Instances?
Background:
I would like to allow my container instance to send network messages to service behind firewall. To configure this firewall I need to know outbound IP address or range of IPs.
I found list of IPs for my region here https://www.microsoft.com/en-us/download/details.aspx?id=56519 but it's for all services (for my region it's more than 180 entries) not only container instances.
You can have container infos by executing this "Azure CLI" command
az container show --resource-group "RgName" --name "containerName" --output table
You may be able to use Private IP, VNet deployment feature (in preview currently) of ACI to support this.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet
You can use the CIDR range of the subnet to configure your firewall.
HTH

Resources