My health probe fails with a 403 as soon as I apply whitelisting to the App Service configured in the backend pool (I whitelist the IP that's assigned to the application gateway. IP is a standard tier and static.
Has anyone else been seeing this issue before? I was under the impression that I could whitelist the public IP assigned to the application gateway on the App Service so access is only possible from the Application Gateway endpoint.
The health probe is successful when I remove the whitelisting. So I'm sure it has something to do with that.
According to the document,
If the backend pool:
Is a public endpoint, the application gateway uses its frontend public
IP to reach the server. If there isn't a frontend public IP address,
one is assigned for the outbound external connectivity.
Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using
its instance private IP addresses.
Contains an external endpoint or an externally resolvable FQDN, the
application gateway routes the request to the backend server by using
its frontend public IP address. The DNS resolution is based on a
private DNS zone or custom DNS server, if configured, or it uses the
default Azure-provided DNS. If there isn't a frontend public IP
address, one is assigned for the outbound external connectivity.
Thus, you may use an internally resolvable FQDN or a private IP address of the backend app service in the backend pool.
In this case, you could change to use the default Azure app service hostname like webappname.azurewebsites.net or whitelist the internal app gateway subnet (where the application gateway instance private IP address) in the access restrictions of app service.
Related
We have an API management instance and we have set up 2 custom domains, one public and one private:
Some API's have to be reachable only internally with api-internal.domain.com. It works but I see that if I configure both custom domains, api-internal.domain.com is configured only on private DNS zone, that API's are reachable also from api.domain.com.
Is the beavhior correct? I want to setup on APIM in some way api-internal.domain.com to be reachable only internally. I'm reading the doc microsoft and I can with policy but the API's are always reachable from public domain, they will be blocked but I want to avoid it.
Thanks
That is by design, as long as the service is not deployed to a VNET (internal mode), the default and custom domains will always have public Azure DNS records pointing to the public IP address.
The solution here is to deploy your service to a VNET (internal mode) and expose the public Apis to the internet using an application gateway that is configured to use path-based routing with your public domain to be configured to point to the application gateway public IP address. Regarding your internal Apis you can configure your private domain to be pointing to the internal IP address (private load balancer) of the APIM service.
See the below resources
https://learn.microsoft.com/en-us/azure/application-gateway/create-url-route-portal
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
I have an application gateway with frontend public IP address, connected to a VNET via its subnet and using a single backend pool that points to a container group in the same VNET but different subnet.
The backend pool points to the IP address of the container group. That works!
But I don't want to rely on an IP address that could change anytime with the container restart. I already use a private DNS zone linked to the VNET. The container group is accessible as "mycontainer.my-azure.com" from the VNET thanks to the A record in my private DNS zone.
But putting "mycontainer.my-azure.com" as the FQDN of the backend pool does not work. It works with the IP address "172.22.44.5" but "mycontainer.my-azure.com" does not resolve, backend health shows "Unknown". I tried restarting the APP GW from AZ CLI to no avail.
Does anyone know how to make APP GW use the VNET's private DNS zone in its backend pool?
If the application gateway backend pool contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses. Make sure the FQDN in the backend pool can be resolved internally.
You can verify the following configuration, it works on my side. I am using the Standard V2 SKU application gateway. The application gateway and container group were deployed into the same VNet but different subnets with no firewall rules. I use this example for deploying ACI.
Backend pool
HTTP setting
Listener
Health probe
Private DNS zone
I'm trying to deploy my application on Azure. Currently, I have an application gateway deployed in one subnet s1, and in the backend pool I have Linux VMs. As per the requirement, I cannot use any public ip so, I'm using only private ip on Application Gateway. Since we need the internet connection at the time of deploying application, I tried attaching NSG to the Application Gateway's subnet with inbound "Internet" allowed. When I attached the NSG to application gateway subnet, the backend health showed as unhealthy with error:
"Cannot connect to server. Check whether any NSG/UDR/Firewall is blocking access to server. Check if application is running on correct port."
I tried to add rules specified in MSFT's document https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview#allow-application-gateway-access-to-a-few-source-ips but its not helpful. So my questions are:
Is there anything more I need to add to NSG on application gateway's subnet.
Is it a good strategy to allow internet access using the inbound rule on NSG? (Inbound rule -> service tag -> Internet). Is there any other way I can have internet access just at the time of deployment? PS: I'm not allowed to use public IP at all.
Many thanks!
You can deploy Application Gateway with Public IP and Private IP. All you need to do is to create the listener with the private Frontend IP and leave the Public IP as such.
Since Public IP is not attached with any of the listener, no one will be able to access your site from Internet via Public IP of your Application Gateway.
When AppGW needs to initiate outbound to Internet, it uses that Public IP.
Note: You cannot have only Private IP as Frontend in V2 deployment and you can deploy Application Gateway with only Private Frontend IP in V1 SKU.
App Service IP Restriction for Application Gateway with WAF
I want to setup Application Gateway WAF in front of multi-tenant (non-ASE) App Service Web Apps.
I know this is possible now, according to official document.
For security, inbound traffic to Web Apps should be restricted to only allow requests for connection the application gateway Public IP. But I couldn't find the way to do it.
Idea 1. Using VNet integration:
It's not possible to using "App Service Vnet Integration" cause it's not possible to specify App gateway's VNet.
Moreover, in my understanding, VNet integration can't restrict inbound traffic.
Idea 2. Using IP Restriction config of App Service:
Application Gateway's Public IP Address can be configured as Dynamic one, Static IP Address can't be chosen.
So, I think it's not possible to specify Application Gateway's Public IP Address to IP Restriction config of App Service, cause configured IP is static but actual IP can be changed.
Any good idea?
The Application gateway IP address can change if the gateway is stopped and started by the customer.
So if you have not stop and start the application gateway, the IP address will not change.
I have an Internal application gateway configured in Azure. There is one virtual machine in the back end pool of application gateway which hosts the application. That is accessible via Intranet only.
I want the IP address of my internal application gateway to be associated to a domain name for my website?? How can i achieve this?
If you want to use a domain name, that means the application gateway needs to have a public IP address. In the gateway settings in the Azure portal, you can add a public IP address to the frontend configuration.
Looks like you already managed to put the backend of the gateway on the virtual network, that's good.
Next, you want to create a listener on the ports you need, for example 80 or 443. This is also done on the gateway configuration in the portal.
Finally, to use a domain name, you need to take the public IP address and put it in an A-record for the domain name. This would probably be in a config page with your service provider.