I have a .net core web application deployed as an Azuere web app. This web app makes an API call to another web application deployed on-premise. The on-premise web applciaiton logs the IP address of the client applciation.
When the Azure web app makes an API call to an on-premises web application, the client IP address logged is different than the range of outbound IPs defined for the Azure app. I alwyas thought that the Azure web app uses one of the outbound Ips while communicating with other applciations. This does not seem to be the case.
I have added my Azure Web app to vnet. Does this have anything to do with the above observation?
Is there a proxy used by the Azure when Azure Web app makes external calls?
Related
I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.
I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.
My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like
INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB
but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.
Thanks
As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.
VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.
In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.
Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.
If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.
If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.
We have it all documented here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal
I am trying to setup IP restrictions in Azure for both an App Service and a Web App. From the documentation here https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions I got the impression that setting the IP restriction on an App Service level should be sufficient and cover all possible Web Apps that the App Service might contain.
However, I find myself having to setup IP restrictions on both levels e.g. App Service and Web App.
Does anyone know if it's possible to setup IP restrictions on an App Service level and have it "apply" for all Web Apps?
I have configured an Application Gateway in front of multiple Azure Web App backend pools as per this article.
In addition to providing a WAF, I use the Application Gateway to offload the SSL connection to the backend pools. I have configured the backend pools to use the FQDN of the App Service instances as they're not currently deployed into a VNET.
Based on the following scenario:
Request to custom.com:443 ---> Application Gateway ---> custom.azurewebsites.net:80
My concern is that the connection from the Application Gateway to the Web App is unencrypted over port 80 and I haven't found anywhere that describes this connectivity as happening over the Azure backbone network. Is there any risk that this traffic could be sniffed and compromised?
Spoke to Microsoft support who said the traffic from my Application Gateway to my Web App will stay on the Microsoft backbone.
He also pointed me to the following knowledge article; which states:
If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in.
I have an on premise desktop application and I need it to hit Web APIs I have living in an App Service Web App (on an App Service Plan) in Azure.
My on premise resources are connected over a site to site VPN and I was wondering if there is a way I can call these Web API services(in an app service) directly over the VPN instead of going to the public endpoint.
The "normal" App Service Plan exists in a multi-tenant environment so this is not possible. You would need to use an ASE (App Service Environemnt) to use advanced networking features like VPN and NSG.
Recently, I deployed a web application using Azure App Service. It's in the free tier service plan. I would like to access the logs of this web application and the IP address of the users who accessed my web application. How to find this information?
You'll need to enable Application Insights and use Web server telemetry
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-data-retention-privacy
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-asp-net