I'm trying to serve multiple Azure App Services behind an Application Gateway. These services should only be reachable through the application gateway endpoint. To achieve this, I've done the following:
Added a VNet
Added a subnet, and added all app services to it
Added an application gateway with appropriate rules for pointing to the app service
Added access restrictions to the app service to only allow the subnet of the application gateway, and the public IP of the application gateway
The health probe of the application gateway indicates the service is healthy (and thus reachable), but when I try to make a request to the service trough the gateway using Postman, I get a 403 IP forbidden error. However, when I add my local IP as an allowed IP address to the app service, the request comes through just fine
From what I've read online, adding the public IP of the gateway should be sufficient for allowing access through the gateway, but it seems that requests from my local machine are blocked. Am I getting something fundamentally wrong here?
Edit: I also tried assigning a front-end private IP address to the gateway and adding access for that in the app service, but that also did not work
Edit 2: My configuration
Access restrictions for app service:
access restrictions
Backend pool:
Backend pool
HTTP settings:
HTTP settings
Listener:
Listener
Rule:
Rule
From your description "Added a subnet, and added all app services to it", I assume that you are meaning integrating app with Azure VNet or enable the service endpoint with Microsoft.Web for the subnet. If so, you could remove them. Both are useless in this scenario.
To restrict the access through the gateway, you only need to add the frontend IP address to the Azure App Service access restrictions. For more details, you could refer to this blog https://www.cloudmanav.com/azure/restricting-appservice-accessible-via-appgateway/#
If you have NSG associated with the subnets, you could follow the prerequisites here
https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview#network-security-groups-on-the-application-gateway-subnet
Edit
You may have redirection configured on your app service or have Azure Active Directory authentication, which causes the redirection. So when redirection happens, the client makes the request directly to app service URL Path contoso.azurewebsites.net/xxx instead of going through the application gateway URL path contoso.com/xxx.
To fix it, you could use a custom domain name to pass the same host name that the application gateway receives to the app service as well, instead of doing a host override. Get more details about this solution here.
Related
I hope somebody can help to understand what I am doing wrong here because I am totally confused and lost.
I am trying to build an API Management in internal mode, and have in front of it a application gateway.
Following Microsoft Documentation I build the following resource:
API Management
Application Gateway
Virtual network
In the virtual network I set 2 subnets(application gateway and API Management)
2 Network Security groups one for each resources
As per the documentation and general advice I found online. I created a Keyvault and generated a certificate. In the Subject I set this CN:
api.test.com
I assigned a Managed identity to this KeyVault.
After this step I created a API Management Service. and the only api inside is a
/configurations
Once this was done. In the Newtork Tab I set the Api management to the internal mode and selected my virtual network and the subnet I designed for this service. So far everything went smooth. When the update completed I set the custom domain in the api management.
In the Tab Custom Domain I added a new domain, in the hostname I set the same CN I set in the KeyVault
api.test.com
and selected the KeyVault from which it has to fetch the right cert.
Everything is done here.
I created the Application gateway in the designed virtual network and subnet.
the first thing I set the backend pool to the gateway url of the API Management
api.test.com
I set a HTTP settings over protocol HTTPS port 443 as follow
Still in the application Gateway I set the Listeners on port 443 and selected my certificate from the KeyVault
In the Rules I configured the listeners and the back end targets to target the backend pool.
At this point, when I test the Probe:
I get the following error
Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to the server. Check if application is running on correct port.
I checked both my security groups which are set as follow
this is the msg for the apim
and this for the application gateway
Can please anyone help understand what I am doing wrong here? Because I have no clue anyomore what could be the issue.
And please, if you need anymore info don't hesitate to let me know. And if is easy, I can post here my terraform script to deploy this infra.
You said: the first thing I set the backend pool to the gateway url of the API Management "api.test.com"
That url is inaccessible and points to a public IP (which I guess should be the app gateway IP)
The backend pool should be the private SLB IP address of the api management service. the listener should be listening to the host name so when it receives a request with that host name, it forwards it to the api management service through its private IP and a host header holding the same listener host name as a value.
I have azure app service which runs .net core web api. This api access several external API s to get data and those external services has to whitelist the outbound ip addresses of my app service.
Azure app service has several outbound ip addresses and it can be change when upgrade/downgrade app service or when make internal changes like changing app service plan or resource group.
Is there any solution in azure to setup this app service behind a forward proxy ?, so i can share the IP of the forward proxy to external parties.
I think the best way would be to add all App services under a virtual network and create a Virtual Network Gateway to all outbound connections.
This would potentially need below azure services to be created:
- Virtual network
- Subnet
- Virtual Network gateway
- Routing tables (to route traffic via Gateway)
A better way would be sharing a domain name rather than IP address. Here's how to configure it directly in the Azure Portal:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
You can also add an API Management in front of your web app and use it as API gateway and also apply policies on it.
https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain
I am trying to configure Azure application gateway WAF with a backendpool set to a VM in a different Azure tenant using its public IP address on port 443. All the SSL certificates are configured properly. However, I keep getting following error while browsing the site via WAF.
502 - Web server received an invalid response while acting as a gateway or proxy server.
I have confirmed that the NSG is on the mentioned back-end VM is allowing all traffic on port 443. What could be going wrong here?
Generally, you can check the status of Backend health in the monitoring of Application Gateway and compare with the DETAILS referring to these possible reasons on your side.
NSG, UDR or Custom DNS is blocking access to backend pool members.
Back-end VMs or instances of virtual machine scale set are not responding to the default health probe.
Invalid or improper configuration of custom health probes.
Azure Application Gateway's back-end pool is not configured or empty.
None of the VMs or instances in virtual machine scale set are healthy.
Request time-out or connectivity issues with user requests.
For each reason, you can get a solution from that link. I think you could make sure you can directly access the backend with public IP from one tenant to another tenant. Then if you have an NSG in the app gateway subnet, you must include exceptions for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for the v2 SKU. You could get more details here. You could also whitelist the app gateway public IP address in the NSG of backend VM.
I have WAF, Application Gateway and a VM in place in Azure cloud. I have deployed an application in VM, which is running on tomcate and on port 8280.
I have domain name www.abc.com. In DNS entry, www.abc.com is pointing to my Azure App Gateway on port 80.
I am able to access the my application using IP and port. for example:-
http://X.X.X.X:8280/MyApps/page1 and http://X.X.X.X:8280/MyApps/page2.
I am trying to configure App Gateway, so that when I try to open using domain name. My requirement is when I hit www.abc.com, it should redirect to URL www.abc.com/page1. I tried to setup the listener with basic type and also path based. But no success. When I try to hit www.abc.com, it throws error:
502 - Web server received an invalid response while acting as a gateway or proxy server.
The 502 error always shows that there is a firewall restiction from your application gateway instance to your backend VM. You can verify if there are blocking the traffics in the NSG associated with your application gateway subnet or VM subnet. Also, this might be caused by inproperly configuring the custom health probe. You also can get more reasons from this doc.
Moreover, you can confirm you have set the url-based path correctly. Pay attention to the path and port.
I have created the External facing ASE with a single Web App. Trying to place a WAF enabled Application Gateway.
I have configure the Application gateway subnet and frontend to Public facing.
To interconnect the WAF with ASE(APP), i have set the target of the App hostname (FQDN) in the Backend pool. After mapping the target, i have verified the backendpool health which states Healthy.
Now i tried to access the Frontend IP and FQDN of Application gateway, i'm getting the below error
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
action taken - Tried without NSG and also allowing NSG in ASE subnet
Need your help, I'm in middle of the Environment setup.
Suspect the hostname resolution is missig and not sure how to overcome this block
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
Every Azure Web App has a collection of host names. A request will be transfer to the dedicated server instance depends on the host name in HTTP request message. If the host name doesn't match one of the host names which configured in Azure portal. The Azure Web App can't be reached.
You could view the default host name in Azure portal.
Since you accessed your Web App by Frontend IP or FQDN of Application gateway, their host names will not match the host name of your Web App.
There are 2 ways to fix it.
To simple test your Application gateway, you could be able to use something like ModHeader Chrome extension to open the public IP address/hostname of the Application Gateway in the browser, and pass in the host name of your Web App you configured on the Web App as a Host Header and the website should come up.
Register a custom domain(For example, abcd.com) in a domain provider(For example, Godaddy). In the DNS setting of your domain, add A record to the IP address of your Application gateway.
After that, you also need to add host name by click add host name button in Azure portal.