Mapping Outbound IPs to 1 IP in Azure App Services - azure

I have 3 components of my architecture running in 3 separate Azure App Services. Each app service has 4 outbound IPs. So whenever I have to deploy my app onto the client's premise, I have to whitelist 12-16 IPs on their on-premise Firewall.
Is there any way I can deploy a NAT which uses only 1 public IP and I can provide just 1 IP to the client?
If I manage to make this architecture work then how would I modify my API calls to these services, since at the moment I'm using their 1 public IP to access their individual service, with just 1 IP how will I distinguish API calls made to different app service.

You can use Regional VNet Integration for your 3 App Services:
https://azure.github.io/AppService/2020/02/27/General-Availability-of-VNet-Integration-with-Windows-Web-Apps.html
Then, on the delegated subnets you can throw a User Defined Route so it goes to Azure Firewall (or any NVA) and the firewall will SNAT outbound traffic so you end up with a single outbound IP.

Related

App Service VNET integration for outbound traffic: can it reach Internet endpoints?

I deploy my web application to an App Service instance on Premium tier. My web application makes outbound requests to external resources on the Internet.
In order to secure the connection with one of these external resources so I can reach it with a private IP address, my plan is to create a Site-to-Site VPN from Azure to Oracle Cloud Infrastructure (where the external resource resides). Then, I plan to use the VNET Integration for outbound traffic and connect my App Service to my VPN.
My question is - will the web application still be able to reach the other external resources on the Internet with their public IPs? I believe the answer is related to routing tables but I can't wrap my mind around it.
Just because you integrate a Regional VNet (I'm assuming) doesn't mean the app service won't be able to make outbound connections. Pretty much like
When you integrate your app service with your VNet that has the site-to-site VPN, traffic from your app service will traverse the Azure network rather than going out to internet, assuming your app service is using an RFC1918 address for your infrastructure. If you want to secure the traffic even further, then your app service would need to be hosted inside an App Service Environment

What determines the outbound ip addresses in my app service in Azure?

I have one app service in Azure in a particular region with 5 outbound ip addresses and a second in the same region but there are 20 outbound ip addresses , which doesnt look right. One app is Premiumv2 the other is Premium V3
What determines the outbound ip addresses and the additional outbound ip addresses and can an outbound ip addresse be added by a user ?
App Service is a multi-tenant service (unless you use App Service Environments) and this service consists of gateway servers which accept the initial requests to App Services and forward them on to worker instances where your code actually lives. Those workers are the App Service Plans which are deployed to specific deployment units each of which are assigned a single inbound IP and multiple outbound IPs, the latter of which are chosen at random at runtime when an outbound request takes place.
This document covers all of the above and more about App Service IP addresses.
Based on which deployment unit your apps end up on you will get different IP addresses, also the SKU can affect the number of IP addresses as you've seen. If you scale up/down or redploy apps you can end up getting new IPs, the above doc has the full set of conditions as to when this might happen.
Depending on what you need to do you could consider using an App Service Environment which has single static IPs for inbound and outbound:
IP addresses don't change, as long as your App Service Environment is running
You can also use App Service VNET connectivity to give your App a private IP in a VNET so that you can connect it to resources privately in the VNET using private endpoints.

Azure web app access restrictions between Apps

I have 2 app service plans in the same Azure region running 1 app each - web frontend on one, API on the other.
I want to use access restrictions on the API to only allow access from the front end app.
I set access restriction rules using all the outgoing IP addresses associated with the frontend app (I note that these are exactly the same as the outgoing IP addresses on the API app as well) however when the frontend app tries to contact the API I get an error:
403 forbidden 'The web app you have attempted to reach has blocked your access.'
The 2 apps can communicate as normal when the access restrictions are removed.
I turned on diagnostic settings and ran a query on IP blocking by the app.
Turns out that the FE app is using an IPv6 address instead of the v4 addresses listed in the app properties.
This is because the app has a vnet integration set up connecting to a Subnet delegated to Webservice/serverfarm.
Azure does not make it obvious that using delegated subnets forces an integrated app to use IPv6 and there does not appear to be a way to discover what v6 addresses may be in use. MS forum response suggests any firewall rule for a web app attached to a delegated subnet should allow ALL IPv6 addresses (!!) as a way of working around the problem.
https://learn.microsoft.com/en-us/answers/questions/493483/why-is-my-azure-web-app-showing-an-ipv6-outbound-i.html
You can control the IP address of outbound traffic from your FE web app by using regional VNet integration together with a virtual network NAT gateway to direct traffic through a static public IP address. Regional VNet integration is available on Standard, Premium, PremiumV2 and PremiumV3 App Service plans. To learn more about this setup, see NAT gateway integration.
Once you FE web app has a static IP you can use that on the API web app restriction in an ALLOW rule.
If your requirement fits, you may also leverage Service Endpoints.
With service endpoints,to ensure inbound traffic to your API app comes only from the subnet used by your front-end web app.
With this route, you need to use VNet Integration with your front end app and service endpoints with your API app. Set service endpoints on the integration subnet used by your Front End application. This solution is fast to set up and easy as well.
-This feature works together with IP access restrictions. Service endpoints aren't compatible with remote debugging. There are some considerations you need to make, you may take a look at them here and also other combination of networking features available on App Service and related scenarios.
As a side note:
-IP-based access restriction rules only handle virtual network address ranges when your app is in an App Service Environment. If your app is in the multitenant service, you need to use service endpoints to restrict traffic to select subnets in your virtual network.
-On App Service, you could have those two separate apps in the same App Service Plan (ASP), since you pay only for ASP, saving costs.
So, you can continue to add apps to an existing plan as long as the plan has enough resources to handle the load. The apps in the same App Service plan all share the same compute resource.

how to add forward proxy to azure app service

I have azure app service which runs .net core web api. This api access several external API s to get data and those external services has to whitelist the outbound ip addresses of my app service.
Azure app service has several outbound ip addresses and it can be change when upgrade/downgrade app service or when make internal changes like changing app service plan or resource group.
Is there any solution in azure to setup this app service behind a forward proxy ?, so i can share the IP of the forward proxy to external parties.
I think the best way would be to add all App services under a virtual network and create a Virtual Network Gateway to all outbound connections.
This would potentially need below azure services to be created:
- Virtual network
- Subnet
- Virtual Network gateway
- Routing tables (to route traffic via Gateway)
A better way would be sharing a domain name rather than IP address. Here's how to configure it directly in the Azure Portal:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
You can also add an API Management in front of your web app and use it as API gateway and also apply policies on it.
https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain

How to allow users over VPN to access Azure Web App

We have an Azure Web App and Azure VPN, we've locked down the web app so it's accessible internally only by granting/restricting access via IP addresses (via Access Restrictions page). However users over our VPN are not able to access the web app - when they connect over VPN, the user's external IP address is not from our internal network. We do not want to whitelist everyone's IP address.
If we had the internal IP address of the web app, we have a few options we could try, but we assume this is not available to us.
How would we allow access to a web app for users over a VPN?
Is this something API Management would solve?
If you don't want to whitelist everyone's IP address. You could involve front-ending the Web App with an Azure Application Gateway and restricting access to the Web App such that only connections from the Gateway are allowed.
Azure Application Gateway is a web traffic load balancer. It has a public or a private frontend or both backends, it must deploy in a dedicated subnet. The subnet also supports to restrict the network inbound and outbound traffic with NSG. In this case, you can deploy a private app GW, then the users over VPN will send the HTTP/HTTPS requests to the APP GW frontend, the APP GW receives the requests via Listener and routes the traffic to the appropriate backends based on the routing rules. An application gateway can communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed. See supported backend pools and how an application gateway works.
You could get more references from the third way in this blog.

Resources