I am trying to add IP restrictions to my app service associated to my QnA Maker to make it available only through an application gateway.
Now, the service works through the gateway but the qna maker portal doesn't work anymore. I get the following error message when loading my knowledge base:
QnA Maker runtime error
Runtime unavailable. Please check that the App Service resource in
your QnA Maker service is up and running.
According to Can qnamaker.ai load a url not open for the public?, the following IP ranges must be added to the app service whitelist:
West US: 13.91.0.0/16
East US: 52.191.0.0/18
Unfortunately, adding these IPs doesn't solve the issue and the QnA resource is still unavailable.
After multiple refresh of the page, the KB is sometime displayed. I think there are some others IP ranges that need to be added to work all the time.
Does anybody knows what is the complete list of IPs to add to fix the QnA maker portal ?
If this host name is Valid and reachable via following IPs everything should work.
52.191.14.164
13.91.243.134
or
Hosting QnA Maker App on Isolated App Service Environment is bit hard, but feasible.
You need to integrate ILB with WAF so that the site is accessible externally:
https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway
You also need to manage certs:
https://learn.microsoft.com/en-us/azure/app-service/environment/create-ilb-ase#create-an-app-in-an-ilb-ase
Create the App Service with QNA Maker extension enabled(Part of existing template) in ASE
Manual: Add certs +WAF for the App Service in 1 (1hr work atleast)
Make sure the App Service is reachable in the browser(https://) and there are no cert issues
Create cognitive services instances (part of existing template) and pass it the app service host name from 1.
Deploy QnA Maker to their existing App Service Environment you can select “ Deploy to Azure,” modify the template as desired, and deploy to the subscription. For example, this Web App template:
https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-github-deploy
I finally created a support ticket in Azure. Here is the complete list given by Microsoft support:
13.68.0.0/16
13.86.0.0/16
13.91.0.0/16
20.185.0.0/16
40.83.0.0/16
40.88.0.0/16
40.121.0.0/16
52.191.0.0/16
Now the QnA Maker portal works fine with this IP whitelist in the app service.
Related
enter image description hereenter image description hereI just have moved my custom domain curtirsuacidade.com.br to Azure and now I want to connect it to my app Curtir, that is running on Azure (curtir.azurewebsites.net). My Azure plan is S1 level. I am using the Custom Domain tool from Azure, but the button Add Custom Domain is hidden. What am I forgetting? I do not have any SSL certificates associate with my app yet.
You do NOT need SSL certificates to associate with a custom domain. And S1 (anything B1 or above) service plan is more than enough. Where are you looking for the custom domain tab? it should be there in your web app resource that runs on your app service plan
How does yours look?
For the Azure docs on binding a domain to your web app see here : https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings
I'm trying to access my app, hosted on azure.
I've a finished c# solution. When I commit changes to Azure DevOps it triggers a (working & successful) build-pipeline.
It runs tests, publishes an artifact & testresults.
In my ServicePlan status is Ready and I see Data Exchanges on DataIn & DataOut graphs.
The Deployment Center:
Bu when I click the https://mywebsite.azurewebsites.net, No webpage was found for the web address.
I have Some basic Azure DevOps expierence, but this Azure Portal is something else :)
My basic questions would be:
Why is it not working?
Do I need a second pipeline, only for release? Or can I recycle the build pipeline?
Do I need some kind of deployment slots? Before I select a not-free slot, I want to know if this is necessary
What else could I be missing?
(My Azure resources include a sql-server, a sql-db, the actual appservice & a app service plan)
Thanks!
If you deploy web app to Azure and login https://<app-name>.azurewebsites.net, then the page still shows Microsoft page instead you owner page. You need check the default document, please ensure that the default page is listed in here.
Steps: login azure portal->App Service->configuration->Default documents
In Azure Web Apps, the default document is the web page that is displayed at the root URL for a website. The first matching file in the list is used. Refer File structure on azure to know more about the files and directories on Azure Web App.
Update1
When I go to the azurewebsites.net url I get a 404: No webpage was found for the web address.
Check this doc:
If you receive an HTTP 404 (Not Found) error when you browse to the URL of your custom domain, verify that your domain resolves to your app's IP address by using WhatsmyDNS.net. If not, it might be because of one of the following reasons:
The custom domain configured is missing an A record or a CNAME
record.
The browser client has cached the old IP address of your domain.
Clear the cache, and test DNS resolution again. On a Windows machine,
you clear the cache with ipconfig /flushdns.
Update2
the URL in my appservice is Azure-generated right?
Yes, then app service url is generated by Azure.
With making a new app service and going to the URL I do get a message app service is up and running.Time to take the next step and deploy your code.
And now, we should get this page, we need create new service connection and re-configure build and release pipeline and deploy your app.
Note: We need use the same user account and AAD domain to do this.
In Azure, I turned on IP restrictions for:
Web App (Networking > Access Restrictions)
SQL server (Firewalls and virtual networks > Add client IP)
SQL database (Set server settings)
The solution still builds locally and in DevOps (aka Team Foundation Server).
However, Azure App Service Deploy now fails:
##[error]Failed to deploy App Service.
##[error]Error Code: ERROR_COULD_NOT_CONNECT_TO_REMOTESVC
More Information: Could not connect to the remote computer
("MYSITENAME.scm.azurewebsites.net") using the specified process ("Web Management Service") because the server did not respond. Make sure that the process ("Web Management Service") is started on the remote computer.
Error: The remote server returned an error: (403) Forbidden.
Error count: 1.
How can I deploy through the firewall?
Do I need a Virtual Network to hide Azure resources behind my whitelisted IP?
The REST site scm.azurewebsites.net must have Allow All, i.e. no restriction. Also, Same restrictions as ***.azurewebsites.net should be unchecked.
It does not need additional restriction because url access already requires Microsoft credentials. If restrictions are added, deploy will fail the firewall, hence the many complications I encountered.
I think the answer is incorrect as you might face data ex-filtration and that's the reason Microsoft provide the feature to lock down SCM portal (Kudu console)
There is also a security issue on Kudu portal as it can display the secret of your keyvault (if you use keyvault) and you don't want someone in your organisation to access the Kudu portal for example.
You have to follow this link
https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops
It will provide you Azure DevOPS IP range that you need to allow on the SCM Access restriction.
Update: To make it works as expected and to use App Service Access Restriction (same for an Azure Function), you need to use the Service Tags "AzureCloud" and not the Azure DevOPS IP range as it's not enough. on the Azure Pipeline logs, you can see the IP blocked so you can see that it's within the ServiceTags "AzureCloud" in the Service Tags JSON file
It's not really clear on the MS Doc but the reason is that they struggled to define a proper IP range for Azure DevOPS Pipeline so they use IPs from AzureCloud Service Tag.
https://www.microsoft.com/en-us/download/details.aspx?id=56519
In my case I was deploying using Azure DevOps and got the error. It turned out the app service where my API was being deployed to, had the box checked "Same restrictions as xxxx.azurewebsites.net", under access restrictions or IP restrictions. you need to allow scm.azurewebsites.net.
Try adding the application setting WEBSITE_WEBDEPLOY_USE_SCM with a value of false to your Azure App Service. This was able to solve my issues deploying to a private endpoint.
In my case it was because the daily quota was overpassed.
So the solution in this case is either wait or pay more (scale up) the app service
In my case this was because the wrong agent (Windows Hosting) was being used when I should have been using a self hosted internal agent... so I needed to change it at the following location
I am planning on using an outsourcing team for data processing and want to avoid them downloading or storing client data on their local machines. To facilitate this, I want to create an Azure VM in which they can do all their work (msoft office, etc.) and access an ASP MVC app hosted as an app service in Azure. The MVC app is integrated with the corporate AD and for the outsourcing logins I want to see if the request is coming from my VM or the internet (the latter gets denied). So far I have:
Created a ASP MVC5 app and an Azure VM
Connected the two via VPN (point to site)
When I attempt to go to the public URL for the website on the VM, I get the "this page can't be displayed" thing, which leads me to believe I'm on the right track (now I have to update the hostfile of the machine to the private IP of the mvc app service app?). How do I do the following:
Connect to the app service via web browser (this needs to be over the vnet so that I can pick and choose in the app code who can login outside the network)
Get the network ip of the app service so I can update the VM hostfile
Am I on the right track here? Thanks in advance!
Your understanding of Azure App service is not accurate. Azure App service cannot be accessed via a private IP. They already sit inside a private vnet. They can be only accessed via public hostname with a common DNS name (azurewebsites.net)
Your scenario requires the Azure Web app and the VM to reside in the same VNET, which is not possible. There is another offering called ILB ASE, which allows you to do this. But it's a more elaborate setup. See this for more information: Using ILB with AN ASE
In your scenario you can restrict access to the web app via IP Restrictions module. See this article: IP & Domain Restrictions in Azure App Service
I understand this not the solution u wanted. What you want can be achieved via ILB ASE, but that is an expensive and elaborate set-up.
HTH
you may want to try using cloud service, though MS recommends App Service, you requirement doesn't fit into App service..
Official documentation from MS: https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-startup-tasks-common
Block a specific IP address
You can restrict an Azure web role access to a set of specified IP addresses by modifying your IIS web.config file. You also need to use a command file which unlocks the ipSecurity section of the ApplicationHost.config file.
I've deployed an Azure cloud service (not a web site) and I'm trying to access it via a browser. When I attempt to browse to the 'site url', it times out. Nor can I ping the Public VIP listed in the Azure dashboard for the service. Hrm.
Now, if I log on to one of the instance VMs, fire up IIS Manager and find the IP address it has listed for the web site, I can browse to that one. Weird.
I'm sure I'm just thick and am missing something simple here. Can anyone point me in a good direction to make my service's site url browsable?
The service definition I'm using is https://github.com/NuGet/NuGetGallery/blob/master/src/NuGetGallery.Cloud/ServiceDefinition.csdef, if that helps.
You can check the "endpoints" tab under the cloud service section of the Azure portal.
There should be an endpoint listed for HTTP that redirects to your VM. You can forward different public ports on the cloud service to individual ports on specific VMs within the cloud service.