Restrict Azure Logic App custom connector HTTP headers - azure

I'm using a custom connector to connect to an on prem SOAP web service via a data gateway. The request is failing due to the large number of x-ms-* HTTP headers being added by the custom connector. The target web service is hosted on Apache Tomcat and has a restriction on HTTP header total size (which I cannot control). Is there any way in either logic app or custom connector configuration to stop these HTTP headers being added?

Unfortunately, there is no way to control this from logic apps itself. Instead, you could front your SOAP service with a proxy that handles this for you.
In the cloud, you could use Azure APIM which can strip headers from being forwarded to your SOAP service.
You can also deploy APIM in a VNET for it to access sources on-premises via a VPN Gateway or an Express Route connection.

Related

Azure app service - how do I whitelist an endpoint (not IP address)

I have Azure app service (Web API) and have restricted access to everyone and allowed access by Ipaddress using access restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions)
I want to allow a particular domain/endpoint access to the API doesn't matter which IP address they are coming from. Is there any way possible to do it.
Unfortunately, It's impossible to whitelist a particular domain/endpoint to the Azure app service using access restrictions as essentially the domain name will be resolved to a real IP address via DNS when the client access the web API in the Azure app service.
Not sure why you want to only allow a particular domain. Perhaps, you just want to map a custom domain to Azure App Service. Then you can access the web API using your multiple custom domain URLs.
Furthermore, optionally, you could apply an Application gateway in front of your web API, then you could access your backend web API using a custom domain URL or Application gateway URL. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example, URI path or host headers. Also, you could whitelist the Application gateway frontends in your app service access restrictions. See Configure App Service with Application Gateway for more details.
I hope it's helpful for you.

How do requests from clients to an API get routed through the gateway hosted on Azure?

I'm not entirely new to MS Azure, but I am new to its API Management Service. I am trying to get an understanding of how the routing works between the client, the APIMS, and the backend APIs, but somehow can't seem to find what I'm looking for within Microsoft's documentation.
So here's what we have and what I understand:
We have multiple APIs that we host on Azure as App Services. And those APIs are added to the APIMS, which we are using as a gateway. The APIMS's Inbound policies on each API specifies the backend service as that App. But that's all I know.
So when a client, say an application running on someone's computer, sends a request to one of those APIs, how does its request URL end up routing through the gateway? And how does that all relate?
the request URL is made up as follows:
[name of your APIM service].azure-api.net/[name of api]/[api method]/[querystring]
example:
https://myapimanager.azure-api.net/myapi/getstudent?id=1
https://myapimanager.azure-api.net/myotherapi/getsomethingelse?name=bubbles

Enabling Communication between different webroles on Azure Cloud

We are trying to build a cloud service on Azure. We have 3 webrole instances running. What are the possible ways to proxy the requests that we get on a webrole to some other webrole.
For Example,
I have the following 2 web roles running: webrole0, webrole1.
I get a request on webrole0. Based on some parameters either webrole0 can serve the request or the request needs to be proxied to webrole1. How do I make this proxying of the request possible?
If you are looking for the path based routing you can go with Azure Application Gateway. If you want to route traffic to web roles based on the request parameters, you need to go with third party NVAs like F5 to check if that satisfies your routing needs.

No Response from Azure Web Application Firewal

I have an App Service hosted in azure and I need to secure that using Azure's Web Application Firewall (WAF). I've created the WAF and also specified the app service's FQDN but when I hit that from the browser I get a timeout response after ~3mins.
I've validated that I can hit the AppService using the http://FQDN. The WAF's BackendHttpSetting is configured for HTTP port 80. The listener is also configured for http 80. Ive tried hitting the WAF endpoint using the IP as well as the {guid}.cloudapp.net
I'm out of ideas now.
Any pointer?
Thanks
Support for Azure Web Application requires additional configuration on backend setting and probe for correctly overriding Host headers from incoming requests. This is documented at link1 and link2 for a working example.

Can HttpClient on an Azure WebRole with only internal endpoints call out to an external URL?

I have an Azure solution containing an MVC application, hosting some Web API controllers that constitute a RESTful API, and a back end WCF service. The MVC app is on a Web Role with a public http endpoint. The WCF application is on another Web Role, with no public endpoints. The MVC app communicates with the WCF service using a ChannelFactory over a discovered internal http endpoint.
I would like to keep this configuration, but I need a component within the WCF service implementation to be able to call a method on the RESTful API, using HttpClient.
My question is: with only an internal endpoint, does my back end web role have the connectivity to allow HttpClient to work like this?
At first glance I would not expect it to, but I note that it does have the capability to use the Azure Storage Client library to obtain resources from Azure Blob and Table storage, and I believe these calls are executed using http to an external URL (unless Azure does something clever to enable these calls under the hood).
Internal endpoints are for inbound traffic. Your WCF service, in turn, can absolutely make outbound calls. As you've already noticed, you're using the storage client library, and storage is a separate endpoint (RESTful, in fact), not a part of your deployed cloud service.

Resources