I have an Azure App Service where the customer is using an Akamai WAF in front of it to connect to it. Now I have the requirement that the App Service should not be reachable other then through that WAF. I got a list of IPs I have entered in the App Service Networking in the Access Restrictions list (App Service -> Networking -> Access restrictions).
This works pretty well in principle, but if I now try to access the service directly (so by using appname.azurewebsites.net), not through the WAF, it will return a 403 error response. But the requirement is that the service should not answer, at all.
Is there a way to achieve that in Azure? What would be the best way to do this?
By default, when you configure ip restrinctions on App Services, the App Service will return the 403 forbidden page from Azure.
So, if you want to Avoid default 403 when IP Restrinctions are configured on App Services, you could vote up this feedback to promote this to be achieved.
There is a way to achieve this behaviour right now in an app service:
What you need to do is use an app service plan on the Isolation tier, create a v-net and add a network security group to it where you can restrict inbound ips.
This is pretty expensive, but currently the only way.
What I ended up with is to use a VM with a v-net, as this is much cheaper. An App service on the isolation tier unfortunatly would have destroyed the budget.
Related
I have an Azure Web App and an Azure SQL Server, both in the same subscription. Both of them are connected to the same VNet Subnet as shown in the below snapshots. The SQL Server is configured not to Allow Azure Resources and Services to access the server, as it should only permit access from either the connected subnet or a set of IP rules.
Unfortunately, the SQL Server is actively refusing any connection from the web app stating that the web app IP is not allowed to access the server.
The interesting thing is that I have the exact same configuration working on another subscription.
What could I be missing?
Snapshots:
1- Here you can see the web application connected to the "webapps" subnet
2- And here you can see the SQL Server connected to the same subnet
3- And that's the error I get
TLDR
The configuration is correct, but an app service restart may be required.
VNET Integration
The configuration of using a virtual network to connect a web app to a SQL database is correct: if the web app is connected to the same subnet/vnet which is allowed in the database's ACLs, and the Microsoft.Sql service endpoint is enabled on the subnet, the web app is able to communicate to the database. This is the whole reason for service endpoints: you do not need to configure with IP allowances on the database.
As to why the configuration still resulted in an error, it could be the order in which the resources were configured. We were experiencing the exact same setup and issue (which is what let me to this question)!
We connected our web app to the subnet/vnet but had not enabled the service endpoint on the subnet. We then added/allowed the subnet/vnet as an ACL in the database, during which we were prompted to enable the Microsoft.Sql service endpoint (we did). However, even after waiting ~20 minutes, we were still seeing the same connection issue.
However, once we restarted the app service, the issue went away and the web app could connect to the SQL database.
I suspect the issue is due to enabling the subnet's service endpoint after the app service was connected to the subnet. The app service must need a restart to refresh the app service's vnet config/routing.
Configuration NOT needed
Contrary to other answers, you do not need to configure firewall IP allowances nor enable access to Azure services and resources. In fact, there are downsides to both approaches:
Enabling access to Azure services and resources allows any Azure-based resource to connect to your database, which includes resources not owned by you. From doc:
This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers.
Unless you're using an App Service Environment (which is significantly more expensive than normal App Service plans), your web app's outbound IP addresses are neither static nor specific to your application. From doc:
Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.
The second point is further elaborated upon in this Github issue:
IPs are indeed shared with other App Service plans (including other customer's plans) that are deployed into the same shared webspace. The network resources are shared among the plans in a workspace even if the computing instances are dedicated (e.g. in Standard tier). This is inherent to the App Service multi-tenant model. The only way to have a dedicated webspace (i.e. outbound IPs) is to deploy an App Service plan into an App Service Environment (ASE) (i.e. Isolated tier). ASE is the only thing that offers true single-tenency in App Service.
So neither of the above options will truly harden your SQL database if you want to isolate communication from only your web app. If you have resources in the same subnet, using vnet integration is the correct way to solve the problem.
If resources cannot be in the same subnet, the solution is to use Private Endpoints.
Virtual networking in Azure is quite different from how it would work on premises.
I had similar problems in production environment and digging deep, the working solution (meeting security standards and create a secure connection to the database) was to create a private endpoint for SQL access in the virtual network. Then all the calls to the SQL were performed internally (it did not go on the internet), and the databases were denying all public calls.
In your case now, you deactivated the Allow Azure apps to access so when your app is trying to access the SQL the server checks the ip to find out if it is white listed or not. So fast solutions would be one of the following:
Enable Azure Web apps to access SQL
Find all outbound IPs of your web app and register them in you SQL firewall/ security settings.
If you talk about a proper production environment with security regulations I would suggest you go down the more tedious path of private endpoints.
You have to configure the outbound IPs from the app service in the sql fw.
You can find them under properties of your app service. Documentation.
The reason why is that the VNET integration doesn't give your app service an outbound IP in the VNET you configured it in, so the FW you configured doesn't work.
I have working web apps which access storage accounts and KVs. These storage accounts and KVs accept traffic from a particular subnet and the web apps have been configured to integrate with those subnets. I did face an issue where even after integration apps were not able to access these resources. What worked for me was, I changed the App service SKU from Standard to Premium and restarted the app. As you can see, it warns that "Outgoing IPs of your app might change". This is not guaranteed solution but it worked for me.. several times! Not sure about SQL server though. Private endpoint does seem like the way to go but you can give this a try.
We have an App Service running in Azure that hosts a website. We've recently had a security review on the web site and one of the items found was that the end point below was exposed.
https://<appName>.azurewebsites.net:8172/msdeploy.axd
The recommendation is that this end point should be blocked and using a whitelist to allow limited access (e.g. the build machine that deploys to Azure). How do I block this end point?
After discussions with Microsoft support it appears that port 8172 is enabled for backwards compatibility with old versions of MsDeploy. This port is being phased out and will be open sometimes and not other times.
The fix was for us to create a new resource group, app service plan and app services multiple times until we ended up a server that had the port closed. This was frustrating but ultimately it did resolve the issue.
You could use IP level limitation in the Azure App Service access restrictions to allow limited IP addresses or VNet access to your app service. In this case, it will work on all the applications in your app service.
For some specific endpoint access control, perhaps, you need to control it with access authorization in your application code. Read Tutorial: Authenticate and authorize users end-to-end in Azure App Service and Managing access to apps.
Alternatively, you select to use Application Gateway integration with service endpoints. In this case, you only want the front end to be accessible to your end-users. The back-end should be locked down so it is only callable from the front-end. Also the front end subnet support NSG, you could restrict the end-users with IP and port to access your front end, meanwhile, it will limit access to your endpoint. See Securing Back-end App Service Web Apps with VNets and Service Endpoints for more details.
Hope this helps you.
I have website deployed on Azure App Service and I want to restrict access to my website from any other country accessing it but only a specific country can access that website.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Even though AppService does not provide, Yes this can be done with Azure CDN provider does via the Geo Level Filtering. More details can be found here.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Agree with Sajeetharan. It seems Azure Web App could not restrict the access just by country directly. You can have a try with Azure CDN, it can restrict the access by country.
But, as the comment you said, you do not have to restrict CDN, in this case, you can consider to restrict IP addressees in Azure. You can also use IP Restrictions menu in Azure app services to add restrictions:
You can check the document Azure App Service Access Restrictions for some more details.
Besides, you can try to use web.config or use IP restrictions feature of the webapp:
Check this thread for some more info.
Hope this helps.
Answer is: Azure Front Door with Front Door WAF policy
After going through with different Microsoft documentation I finally implemented the solution with Azure Front Door where you can set Frontend hosts and Backend pools with forwarding/redirecting. And in Frontend hosts, you can select WAF policy.
In the backend pool, you can select any application e.g. App Service or any IP where your app is deployed.
In WAF policy there are multiple options to restrict your traffic and one of them is geolocation restriction.
Just apply geolocation restriction according to your desired country and it will work like a charm.
We have an application running in Azure that consists of the following:
A Web App front end, which talks to…
A WebApi running as a Web App as well, which can (as well as a couple other services) talk to…
A Cloud Service load balanced set of VMs which Are hosting an Elasticsearch cluster.
Additionally we have the scenario were dev’s whitelist their IPs so that their localhost version of the API can hit the VMs as well.
We have locked down our Elasticsearch VM’s by adding ACLs to the exposed end point. I whitelisted the outbound IPs that were listed on my App Services. I was under the mistaken impression that these were unique to my Api. It turns out that these are shared across the scale unit in Azure. Other services running in the same scale unit, could, if they knew the endpoint, access the data exposed on the endpoint in my cluster. I need to lock this down, and I am trying to find the easiest way. These are the things I am looking at, and I would appreciate advice and/or redirection.
Elastic Shield: Not being considered. This is a product by Elastic
that is designed to secure ES. This is ideal, but at the moment it
is out of scope (due to the cost and overhead)
List item
Elastic plugins: Not being considered. The main plugins (such as
Jetty) appear to be abandoned.
Azure VPN. I originally tried to set this up, but ran into too many
difficulties. The ACLs seemed to give me what I need without much
difficulty. I am not sure if I can set this up now. The things I
don’t know are:
I don’t think I can move existing VMs into a new VPN.
I think you have to recreate the VMs in that VPN from the get go
Could I move my Web App into the VPN? How does that work?
This would prob break my developer scenario as the localhost API
would not be able to access the VPN, right?
Add a certificate to requests: It would be ideal if I could have
requests require a cert or a header token. I assume to do this I
would need to create a proxy that would run on the VMs and do the
validation before forwarding the request on to my Elasticsearch.
Anything else? Is there another option I have not thought of?
Thanks!
~john
You can create a VPN point-to-site connecting your Web App with your IaaS VMs. This is the best solution because you will be able to use just internal IPs on your IaaS.
The easiest way to do that using Azure Portal is create a Web App and, create a new VPN and VNet using "setup" option at "Your Web App" -> Settings -> Networking -> VNET Integration -> Setup -> Create New Virtual Network.
After that, create your IaaS inside this new VNet.
You also can create a ARM template to create Web App, IaaS, VPN and everything that you need. Take a look at my ARM template to create PHP+MySQL using Web App and MariaDB Cluster connected by VPN: https://github.com/juliosene/azure-webapp-php-mariadb
Good evening,
I currently have deployed a VPN in azure, in this network I have added a cloud service and have also granted access to an azure website, so far so good.
Now I want the cloud service to be available only to the nodes of my VPN, especially the azure website. In order to achieve this I have created some ACLs which grant access to every node of my subnet i.e,
<Rule action="permit" description="test2" order="200" remoteSubnet="172.16.0.0/27" />
However, once the ACL Rule is enforced, the website has no access to the cloud service and therefor a timeout exception is thrown. Am I doing something wrong or the only way to achieve this is to deploy both of my projects on cloud services instead of a website and a cloud service? It is vital for this project that the cloud service is only available locally.
Thanks in advance
You can't currently restrict Azure Websites to only be accessible via a private VNet and as you suggested you will need to use either Web Role (Cloud Service) or a VM.