I have FrontDoor instance myFrontDoor configured with wildcard domain (single CNAME record on .myDomain.com directed to myFrontDoor.azurefd.net).
Setup of frontdoor looks like:
Domain | Backend pools | Rules
myFrontDoor.azurefd.net | backendPool-A | rule-A
*.myDomain.com | backendPool-B | rule-B
I would like to set up rules in a way that:
ruleA forwards all requests for a*.myDomain.com/* to backendPool-A (e.g. a1.myDomain.com, a2.myDomain.com)
ruleB forwards all requests for b*.myDomain.com/* to backendPool-B (e.g. b1.myDomain.com, b2.myDomain.com)
I tried to setup a pattern in a rule to be like
a*.myDomain.com/* but it says that:
Pattern is invalid, it must start with '/' (by Azure Portal)
I tried to do this by Azure CLI as well but error occurs as well.
According to Microsoft documentation for FrontDoor and wildcard domains it should work.
Related
Some of my apps are not working from some customers site, I later discovered that this was because I am using the default websites for my app hosting that is the url is myapp.azurewebsites.net which was not whitelisted on the customers firewall. The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.
If i were to create CNAME record which has a CNAME pointer to the azure default web app for example myapp.mywebsite.com points to myapp.azurewebsites.net, will this get around the issue ? Or do I need to whitelist myapp.azurewebsites.net Or its IP address that is the IP address of myapp.azurewebsites.net ?
Firstly, by default, apps hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. So, typically, anyone with the URL without any specific local network/firewall/proxy restrictions can access the WebApp URL.
As I understand, your WebApp is open to the public and only a few users (on a specific network), have trouble accessing the site. Plus, there are no access restrictions that you have implemented from the WebApp side.
Just to highlight,
Network administrators often deploy proxy servers, firewalls, or other
devices, which can help secure and give control over how users access
the internet. Rules designed to protect users can sometimes block or
slow down legitimate business-related internet traffic. This traffic
includes communications between you and Azure over the URLs listed
here.
Reference : Allow the Azure portal URLs on your firewall or proxy server
So, on case-case basis, for the affected network, you may have them add appservice.azure.com (Azure App Services) in the allowed list.
Or
As your customer performed – “The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.” have them add the URLs to allowedlist.
Or
Since IP address of your WebApp (see the reasons for the change), the best route would be for you to set up a custom domain for your WebApp.
Kindly check this doc - Tutorial: Map an existing custom DNS name to Azure App Service
The CNAME maps to the app's default hostname instead, which is less susceptible to change. | | Wildcard | *.contoso.com | CNAME record. |
-- As a side note (as indicated above), by setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. Which is the opposite of your scenario, just sharing as FYI, in case you wish to know about access restrictions from WebApp side. Set up Azure App Service access restrictions
I have a question about azure front door potential for this. So I have 2 web site running by Azure App Services and I need then under same domain name but different path of URL like this:
App Service A -> www.something.com
App Service B -> www.something.com/b-product
I'm not sure this is possible to use Azure front door or I should use another service to solve this problem.
Do somebody can suggestion to me?
Yes you can do this fairly easily, when you create your routing rule you have the option tom specify patterns to match, there you can specify /foo and have this forwarded to pool A where app service A lives
Then you create a different routing rule with /bar pattern to match and forward that to pool B
Then you can repeat this until you get what you need.
you can also have one routing rule match the / domain as per your example you don't have to use a /foo pattern you can also do /* but I always found it easier to use /foo/* and /bar/* to keep the same URL structure
As suggested by Junnas , you can use the front door rules engine
Alternatively , you can use application gateway listeners
If you want all of your requests (for any domain) to be accepted and forwarded to backend pools, choose basic. Learn how to create an application gateway with a basic listener.
If you want to forward requests to different backend pools based on the host header or host names, choose multi-site listener, where you must also specify a host name that matches with the incoming request. This is because Application Gateway relies on HTTP 1.1 host headers to host more than one website on the same public IP address and port. To learn more, see hosting multiple sites using Application Gateway.
Let me get this out of the way, I am not that familiar with DNS setup. But I am wondering if I can have this setup. I cannot test this right now because I control the our Azure portal but not the domain name provider.
We will have 2 subdomains. For example, api.contoso.com and app.contoso.com
We currently have a single Azure App Service Plan with two apps inside. One is the frontend SPA, and the other is the backend.
Checking the IP address and Custom Domain Verification ID of the two services, they are the same! So I am wondering if the setup of the two subdomains is possible. If not I'll consider moving out one of the App Service to its own App Service Plan or maybe Just map a single custom domain to the frontend. Any tips or suggestion?
Yes this is completely possible and a very standard setup. You will use CNAME records in your DNS setup which means you won’t use the IP address of the VM that your app service plan is on. Instead a CNAME DNS record maps your custom domain to another domain - in this case the domain name of an app service.
You will configure a different custom domain on each app service (and ideally a certificate to protect it).
E.g. your DNS might look like this:
app.contoso.com CNAME myapp.azurewebsites.net
api.contoso.com CNAME myapi.azurewebsites.net
I.e. when a request is made for a domain on the left it will be forwarded to the domain on the right.
When a request is made for either of your custom domains the custom domain will be in the host header. This request will be routed to the app service gateway which will look at the host header in order to know which VM to route the request to and once on the correct VM which app service to serve the actual request.
Once you have the above setup you can query the DNS system to see the complete route that a request would take, e.g.:
nslookup app.contoso.com
may return:
Name: waws-prod-xyz-123-1234.uksouth.cloudapp.azure.com
Address: 99.99.99.99
Aliases: app.contoso.com
myapp.azurewebsites.net
waws-prod-xyz-123-1234.uksouth.cloudapp.azure.com
With this command you'll see the actual VM that your app service plan is on (I've made up the IP and VM name here!).
I have a storage account in Azure with a container named clients. Inside the container I have folders for various clients, i.e:
mysite.blob.core.windows.net/clients/one
mysite.blob.core.windows.net/clients/two
I also have my own site set up as a static website, i.e:
mysite.z33.web.core.windows.net
On top of that, I have a custom domain: mysite.com. Is it possible, using Azure CDN or Azure Front Door/Application Gateway to route traffic like so (in a way that doesn't require further configuration per client):
one.mysite.com -> mysite.blob.core.windows.net/clients/one
two.mysite.com -> mysite.blob.core.windows.net/clients/two
mysite.com -> mysite.z33.web.core.windows.net
So far I have tried doing this with Azure CDN but I don't think it's possible, it has a rules engine that seems quite flexible but I don't think they support wildcard domains, unless I'm (hopefully) wrong. Ideally I'd like it to be done in some sort of wildcard way, so that is maps:
<client>.mysite.com -> mysite.blob.core.windows.net/clients/<client>
I don't really want to have to add more rules or configuration every time I have a new client.
In fact, you could use an alias record to add a root domain as the custom domains in your CDN endpoints if you use Azure CDN to host your DNS zone. In this case, you need to set up multiple endpoints for each custom domain. See this document for more details. But Pointing a zone apex to CDN endpoints for Azure CDN from Akamai is currently not supported. You can use other CDN price tier.
If you use the Azure application gateway, you may configure multiple sites listener to receive different incoming host traffic and use path-based URL rules to route the traffic to the backends. It looks like a complex configuration and hard to troubleshoot the app gw related issue.
The azure front door should also do this trick, it supports onboard a root domain on your Front Door also allows wildcard domains. The route path is also easy to configure. See path matching for more details.
Hope this information could help you.
Here is what I want to do:
I have a bunch of client URLs like client1.some.com and during maintenance I am redirecting them using Traffic Manager to banner.some.com
At this point it fails to show them my banner because their host names are not in "Custom Domain" section
I want to find a way to use WebApp for all clients so it won't care from what URL it came from. In that case once I get more clients I don't have to go to my WebApp and add their host names.
By now I have to go to me DNS provider and add awverify records there only after that I am able to add new custom domain on web app.
I want to make IIS ignore host header info and just return index page from default web page.
Thanks
Ihor
Far as I know, if the client URLs you mentioned have the same root domain or subdomain (e.g. client1.some.com, client2.some.com or client1.a.some.com, client2.a.some.com), you could map a wildcard domain (e.g. *.some.com or *.a.some.com) to your Azure App, in order to meet your requirement. You could follow the steps below to achieve your purpose.
Create the DNS record(s)
Please log in to your domain registrar and use their tool to add A CNAME record.
Your CNAME record should be configured as follows:
| FQDN EXAMPLE | HOST/NAME/HOSTNAME | Value |
| ----------------------------- | ------------------ | -------------------------- |
| *.some.com (wildcard) | * | hostname of your Azure App |
| *.a.some.com (wildcard & sub) | * | hostname of your Azure App |
Please log in to the Azure portal, then configure the wildcard domain for your Azure App.
In addition, after you finish the configuration steps, it could take some time for the changes to take effort.
You could visit http://digwebinterface.com/ to check whether the DNS propagation is working as expected.
For more details, you could refer to this tutorial.