I have a classic ASP.NET 4.7 Azure Web service with an Web API.
How to restrict access to some URL-path of Azure Web service from Internet while allow to access the whole web site, and allow access to the restricted path from a VNet?
I tried to solve the problem using Azure Application Gateway, but it does not work properly. Here is the question How to route to another path with Azure Application Gateway?
From perspective of coding, you could use this similar way instructed here to authorized on specific URL based on IP address.
From perspective for Azure Application Gateway, you could try using custom rules:
Allowing and blocking traffic is simple with custom rules.
For example, you can block all traffic coming from a range of IP addresses.
You can make another rule to allow traffic if the request comes from a specific browser.
You can leverage "RequestUri" variable in Match variable section. (Not professional on WAF, so didn't test this way)
Related
I have Azure app service (Web API) and have restricted access to everyone and allowed access by Ipaddress using access restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions)
I want to allow a particular domain/endpoint access to the API doesn't matter which IP address they are coming from. Is there any way possible to do it.
Unfortunately, It's impossible to whitelist a particular domain/endpoint to the Azure app service using access restrictions as essentially the domain name will be resolved to a real IP address via DNS when the client access the web API in the Azure app service.
Not sure why you want to only allow a particular domain. Perhaps, you just want to map a custom domain to Azure App Service. Then you can access the web API using your multiple custom domain URLs.
Furthermore, optionally, you could apply an Application gateway in front of your web API, then you could access your backend web API using a custom domain URL or Application gateway URL. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example, URI path or host headers. Also, you could whitelist the Application gateway frontends in your app service access restrictions. See Configure App Service with Application Gateway for more details.
I hope it's helpful for you.
I have website deployed on Azure App Service and I want to restrict access to my website from any other country accessing it but only a specific country can access that website.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Even though AppService does not provide, Yes this can be done with Azure CDN provider does via the Geo Level Filtering. More details can be found here.
Is there any way where I can restrict/allow at the infrastructure level inside Azure?
Agree with Sajeetharan. It seems Azure Web App could not restrict the access just by country directly. You can have a try with Azure CDN, it can restrict the access by country.
But, as the comment you said, you do not have to restrict CDN, in this case, you can consider to restrict IP addressees in Azure. You can also use IP Restrictions menu in Azure app services to add restrictions:
You can check the document Azure App Service Access Restrictions for some more details.
Besides, you can try to use web.config or use IP restrictions feature of the webapp:
Check this thread for some more info.
Hope this helps.
Answer is: Azure Front Door with Front Door WAF policy
After going through with different Microsoft documentation I finally implemented the solution with Azure Front Door where you can set Frontend hosts and Backend pools with forwarding/redirecting. And in Frontend hosts, you can select WAF policy.
In the backend pool, you can select any application e.g. App Service or any IP where your app is deployed.
In WAF policy there are multiple options to restrict your traffic and one of them is geolocation restriction.
Just apply geolocation restriction according to your desired country and it will work like a charm.
I have a web app that I am hosting on Azure and would like to know how I can make that site accessable by only a security group/distribution list within Azure.
Now, the url is accessable by anyone even outside of my tenant which I am trying to avoid - What route would I go down to restrict it down to groups? I can't do it by users because there are 1,000+ users.
It appears like you can only restrict an Azure Web App access via IP addresses or virtual networks. Below is a quick summary. However, I have attached a link to the MS Docs that explains in more detail how to implement adding these restrictions.
Go to your service in the Azure Portal > Networking > IP Restrictions
Add Rule
Input IP/subnet mask
Note: After you add a rule, it will create an implicit deny by default for anything requests not matching the rules.
This link also may be helpful if you want to edit the web.config instead of using the Azure Portal.
Windows Azure Web Apps let subscription administrators define custom hostnames for a web-app, these have to be manually listed, but you can also specify wildcard hostnames for subdomains, e.g. *.myapp.com.
So if I have a multi-tenant application where each tenant has their own vanity hostname, they could be "billselectrical.myapp.com" and "megabusiness.myapp.com" - and hostname detection in my application code would handle the rest.
However, is it possible to have arbitrary hostnames in Azure Web Apps? What if my (high-profile) customer megabusiness.com wants my hosted-application to appear as "myapp.megabusiness.com"? Obviously I can support this by explicitly and manually adding myapp.megabusiness.com to the Azure domain list (which does require adding verification TXT records, unfortunately - so this requires cooperation from the customer) - but there doesn't seem to be a way to instruct Windows Azure to allow any hostname.
...or is there?
I note that I know this is achievable using a raw VM with a manually configured IIS website - I imagine the same is possible with a Web Role Worker too.
Is there any way to secure an HTTP endpoint of an Azure Logic App ?
For example if I'm using my Logic App's HTTP request endpoint to be triggered as a webhook from a payment gateway, I'd want to restrict only certain static IP Addresses to access it and enable HTTPS.
I didn't find any firewall options like those present in Azure SQL for IP base restrictions.
You can put the manual trigger endpoint behind Azure API Management, using its "Restrict caller IPs" policy should help you accomplish what you need.
See https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
Restrict incoming IP addresses
In addition to the Shared Access Signature, you may wish to restrict calling a logic app only from specific clients. For example, if you manage your endpoint through Azure API Management, you can restrict the logic app to only accept the request when the request comes from the API Management instance IP address.
This setting can be configured within the logic app settings:
In the Azure portal, open the logic app you want to add IP address restrictions
Click the Access control configuration menu item under Settings
Specify the list of IP address ranges to be accepted by the trigger
A valid IP range takes the format 192.168.1.1/255. If you want the logic app to only fire as a nested logic app, select the Only other logic apps option. This option writes an empty array to the resource, meaning only calls from the service itself (parent logic apps) fire successfully.
I could be wrong but all App Services (Web Apps, Logic Apps, API Apps) are, by default, publically accessible and, by default, do not enable IP Filtering via Azure resource configuration (meaning, a setting on the Logic App). Options I can think of enabling this would be:
If you have access to a Web.config, use an element to restrict traffic to only a specific set of address (see MSDN)
Consider putting the Logic App behind an API Management resource and enforce a IP restriction policy (see Azure API Management Documentation); I'm guessing this may not apply for Logic Apps but including it anyway
Scale to a Premium App Service Plan, deploy Logic App to an App Service Environment which gives you the ability to specify whether there is a Public IP (VIP) used for load balancing requests or internal load balancer (which would be used for cross-premise connectivity between your LAN and Azure); you can also deploy a virtual Web Application Firewall (WAF) which would allow you to place explicit IP filters as well
Not knowing your requirements, I'd lean more towards option 3 simply because there is documentation supporting that scenario (at least for Web, Mobile and API Apps -- Logic Apps are not mentioned). Otherwise, if you're not able to modify the web.config to include the filters and cannot put an API Management instance in front of the logic app, I'm not sure what other options you may have.
Hope this helps and if you find a solution, I'd be interested in learning it as well.