I have noticed in my app insights log some suspicious traffic and I would like to block the IP. However, all I find is 0.0.0.0 for the IP on all requests. Is there a way to find in a log the exact IP to block future requests from the IP? I am using an Azure Web App with App Insights turned on for .Net Core application.
You can enabled Azure Monitor for AppServiceHTTPLogs and AppServiceIPSecAuditLogs. These logs should contain the source IP address.
Related
Our website is hosted on the Azure Linux web app, the site pulls data from third-party vendors. So we need to whitelist our website IP address to their server but after adding the IP for whitelisting still getting 401 unauthorized errors.
We checked the vendor and the IP has been configured properly but why we are getting 401 errors while pulling data via API call.
The IP address we found from Azure Portal --> web app --> select properties and the virtual IP address.
Any help or recommendation will be helpful.
If I understand you correctly, you are trying to whitelist the web app against the firewall for the third-party vendors app?
If so, then the virtual IP address that you have added is the ingress IP address for the web app. You need to add the outbound IP addresses from the Properties blade for the web app to the vendor's firewall.
You should note that there can be up to 11 of these IP addresses. Also, if you scale the web app up or down to a different service plan, or perform any change that will result in a new scale plan, the IP addresses will change. This does not apply to scaling out to multiple instances.
Using a static IP address solved the problem.
Playing with Azure App Service, I instantiated a simple web app. I tried to identify its IP address and found one in the properties of my app. It was described as 'virtual IP address'.
Trying to ping it or put it in my browser, it doesn't work and I can't find if it's an Azure configuration or a principle of virtual IP addresses... To be more precise, if I type '40.79.130.128' in my search bar, I crash on a 404 page, instead of my website page.
I read a bit on the topic, mainly what it is used for, but I don't understand if I can just reach it in my browser, because just typing it in my search bar is no use. What am I missing?
The Virtual IP address under your App Service on the blade Settings->Properties is the Shared IP.
The way IP address work in App Service is different. App Service app runs in an App Service plan, and App Service plans are deployed into one of the deployment units in the Azure infrastructure which is internally called a webspace and each of the deployment unit is assigned up to five virtual IP addresses, which includes one public inbound IP address and four outbound IP addresses.
All App Service plans in the same deployment unit, and app instances that run in them, share the same set of virtual IP addresses which means many App Services is behind same IP address hence you need to configure Custom Domain on your App Service to get it to work.
For configuring Custom domain refer to this link:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
Please refer to below articles for details:
Inbound and outbound IP addresses in Azure App Service
App Service networking features
I've run the suggested commands on the Kudu console to check for an outbound IP and nothing pops up.
Evidence :(
Under properties within the App Services menu, no outbound IP is listed either.
Evidence 2
I did not setup this Azure Stack Account or this App Services Web App. I think it might have been set up in some "isolated" version. Is it possible to change some setting somewhere to allow an outbound IP? Should I just make a new Web App within the Service Plan? Should I make a new Service Plan?
I think it's impossible to change some setting somewhere to allow an outbound IP. For more details, pls read the offical document about Inbound and outbound IP addresses in Azure App Service.
The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier.
I have an azure website that I can access by
myname.azurewebsites.net
In Azure dashboard, the IP is 104.214.237.135
When I try to access my website by IP I have a 404 error
I don't understand. My plan App Service is S1
Regards
Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.
App Service Environments use dedicated network infrastructures, so apps running in an App Service environment get static, dedicated IP addresses both for inbound and outbound connections.
Azure AppService IP addresses are shared between tenants and not guaranteed to be static. Your app is bound to the hostname, not the IP address. Unless you are using App Service Environment, you cannot use a static / dedicated IP address with Azure AppServices. You can add additional custom hostnames to your app.
is it possible to determine each slot of an azure webapp to different ip adresses / vnets? e.g. dev-slot to the dev-vnet and prod-slot to the prod-vnet
the properties to determine outbound ip-adresses work "global" (for the whole webapp is not offering slot individual options.
Any idea how to do that (one ip / better vnet for each webapp slot) is very much appreciated!
Thank you very much!
As I know, it is not possible to determine each slot of an Azure web app to a different IP address.
Deployment slots are actually live apps with their own hostnames which is different from Azure web app hostnames. But the slots have the same IP address with Azure web app in Azure. You can use Ping utility to verify it, Ping timeout can say nothing only we can see the host from the web app or each slot in azure.
Here are the screenshots of two slots- staging and full in Azure web app service.
Actually, the IP address 13.90.143.69 is also the IP address of the Azure web app service. If you want dev-slot to the dev-vnet and prod-slot to the prod-vnet. I think it should be dev-slot linked to Azure web app service1 and prod-slot linked to Azure web service2. The service1 has a different IP address with service2.
Hope this makes sense.