I have an app service in Azure (not in ASE App Service Env). It is integrated with a vnet.
And I have an API on-premises that this app must access by its internal on-prem DNS name.
And there is an Express Route between Azure and on-prem location.
How to access the on-prem API by its DNS name through an Express Route?
How to configure network connectivity?
How to resolve on-premises names in Azure?
There are different ways of achieving that, depending on your set-up.
You might need to use:
App Service
For App Services you must use Regional VNet integration.
If you need all traffic from the App Service to be routed via the Vnet, you must specify in the app service the setting WEBSITE_VNET_ROUTE_ALL = 1
https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#regional-vnet-integration
DNS
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Troubleshoot DNS in App Service
https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#troubleshooting
Configure Peering
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-routing-portal-resource-manager
Route tables for VNets (not always necesary)
https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table
Related
I deploy my web application to an App Service instance on Premium tier. My web application makes outbound requests to external resources on the Internet.
In order to secure the connection with one of these external resources so I can reach it with a private IP address, my plan is to create a Site-to-Site VPN from Azure to Oracle Cloud Infrastructure (where the external resource resides). Then, I plan to use the VNET Integration for outbound traffic and connect my App Service to my VPN.
My question is - will the web application still be able to reach the other external resources on the Internet with their public IPs? I believe the answer is related to routing tables but I can't wrap my mind around it.
Just because you integrate a Regional VNet (I'm assuming) doesn't mean the app service won't be able to make outbound connections. Pretty much like
When you integrate your app service with your VNet that has the site-to-site VPN, traffic from your app service will traverse the Azure network rather than going out to internet, assuming your app service is using an RFC1918 address for your infrastructure. If you want to secure the traffic even further, then your app service would need to be hosted inside an App Service Environment
Here is my scenario: My Database is on MongoDB Atlas. I need to access Atlas from Azure Function(Dynamic/Consumption Plan) and App Service. In doing so, I am facing A timeout issue. I know, this is because I have to whitelist outbound IP addresses of Azure Function and App Service Plan in Atlas. But Azure Function(with Consumption Plan) and App Service update their outbound IP addresses during the autoscaling process. Now there are 2 solutions I can think of:
Whitelist all the IP addresses of an Azure Region/Zone. But this is
not an ideal approach, as a single Zone may have
many(500~1000 or more) IP addresses.
Using the VPC peering. I guess we may connect Azure and Atlas through VNET. However, to do that, I need to connect the Azure function and App Service to Vnet first. The problem is VNET Integration with these services is a very expensive approach.
So my question is what other options do I have? Is there any way to connect them using some managed identity or Authentication/Authorization approach using Azure AD or something like that? Is Federated Authentication fits for such a case?
You can use App Service Environment
App Service Environments use dedicated network infrastructures, so
apps running in an App Service environment get static, dedicated IP
addresses both for inbound and outbound connections.
See: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
Another solution would be to place your app behind a Firewall and give the firewall a static IP address.
I have azure app service which runs .net core web api. This api access several external API s to get data and those external services has to whitelist the outbound ip addresses of my app service.
Azure app service has several outbound ip addresses and it can be change when upgrade/downgrade app service or when make internal changes like changing app service plan or resource group.
Is there any solution in azure to setup this app service behind a forward proxy ?, so i can share the IP of the forward proxy to external parties.
I think the best way would be to add all App services under a virtual network and create a Virtual Network Gateway to all outbound connections.
This would potentially need below azure services to be created:
- Virtual network
- Subnet
- Virtual Network gateway
- Routing tables (to route traffic via Gateway)
A better way would be sharing a domain name rather than IP address. Here's how to configure it directly in the Azure Portal:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
You can also add an API Management in front of your web app and use it as API gateway and also apply policies on it.
https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain
I have web and api app deployed within ILB ASE fronted by Application Gateway.Would I be able to make the calls from my web app to api app without exposing api app externally? If so, how can I do that?
I configured application gateway to point to the front end web app. I created internet routable domain and added to custom domain in my web app. In my DNS, I pointed the custom domain to hostname of the application gateway and I am able to logon to my web app. But, I see my web app written in AngualarJS is making XMLHttpRequest to backend API URL and as the backend API URL can not be resolved from my desktop, it is failing.
My requirement is not to expose API app outside of the ILB ASE VNET. Any suggestions?
If you want the web app and API could communicate with each other in an ILB ASE, you need to deploy an internal DNS service. For example, you could deploy a custom DNS server on Azure VM in the same Azure VNet. You can specify DNS server IP addresses in the VNet settings. The VNet is your ASE subnet located.
Please note that restart ASE after DNS IP address is added to VNet if you add the DNS after you deploy ASE. You could refer to this and read more details about custom DNS in ASE. Let me know if this works.
Since App Service is multi-tenant infrastructure, is it true that my app service might share same underlying VM and outgoing IP with other app service which not owned by me?
Yes. Your app service will share the same outgoing IP. App services in the same plan will share a load balancer, and will use one of four IP's for outgoing traffic.
The IP's are shown in the Azure portal in the app service's properties, and can also be retrieved using powershell.
Details about the network traffic for app services: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-network-architecture-overview