We have a few Web Apps that need to access database on VM that behind Network Security Group. How do we allow Web App through Network Security Group?
Web App will use a set of outbound Public IP addresses to reach Internet. You can get those IP address by navigating to the Properties of the Web App.
In your NSG, you can use the Source IP as the list of IP that you got from Properties blade to allow traffic to your database. Also make sure to only open the port used by the database, and nothing else.
Related
I have created an App Service Environment and have multiple web app and web API associated with it. I want to achieve an arrangement where only my App service has access to the API, so trying to block traffic to the API using IP Restriction. But all the Web Apps as well as the web API has the same VIP and i cant find any other IP address associated with it.
Also to attach the NSG to the subnet(in which ASE is there), we need to add rules which again need specific IP. How can I achieve this?
I assume you have provisioned external ASE.
"App Service has the ability to allocate a dedicated IP address to an app. This capability is available after you configure an IP-based SSL"
So, you can limit the access to some of your apps inside the ASE by using App-assigned IP-based SSL addresses (Only possible with an External ASE and when IP-based SSL is configured).
When you provision your ASE, you can select how many external IP addresses the system should have including those for IP-based SSL purposes.
please see: https://learn.microsoft.com/en-us/azure/app-service/environment/using-an-ase#ip-addresses and slide nr.14 here https://8gportalvhdsf9v440s15hrt.blob.core.windows.net/ignite2017/session-presentations/BRK3204.PPTX
I have access to a server behind a corporate firewall. I need a web application on it to talk with https://westeurope.api.cognitive.microsoft.com/vision/v1.0/ocr. The infrastructure department want an IP number to that service, so they can open up a hole in the corporate firewall, so the application is allowed to make the out-going call. If I do an 'nslookup westeurope.api.cognitive.microsoft.com' I can see the receiving IP is 13.93.122.1 - but will it always be so... Is there a range I should know, or can I be certain that the Microsoft IP remains static?
I deployed a Asp.Net Core 2 application to Azure, using Visual Studio Community's Publish feature. The non-database-dependent parts of the application function, but the database-specific code returns an error.
The application's database is a Sql Server instance installed on a Windows server hosted on a Azure VM (not an Azure SQL database).
To fix this, I:
determined the application's IP address using the Url property (xxx.azurewebsites.net) of the app's blade
added an inbound rule to the network security group's blade that allows all ports from this IP address
added an entry to the VM's Windows firewall to allow ports from this IP address
Unfortunately, this did not solve the problem. What am I missing?
Incidentally, what's the recommended way to set the ASPNETCORE_ENVIRONMENT to development when publishing to Azure (to enable more-detailed error messages)?
I am assuming that your web application is deployed to an Azure Web App. You may not have the correct outbound IP address for your VM hosting. Note that a Web App's inbound IP address may be different from the Web App's outbound address. To find the outbound addresses for your Web App, do the following:
Go to your Web App's management blade.
Choose the Properties menu item (under Settings). On this screen, there's a list of possible outbound IP addresses. Try whitelisting them all in your VM's firewall.
I've got a app plan (BASIC SMALL) with a private (hopefully) ip adress that can be found under Settings > Custom Domains.
When I try to access the content of the app using just the ip, it doesn't work. The site says "Error 404 - Web app not found." The hostname works just fine. When I ping the hostname it gives me the same ip adress. What do I have to do in order to be able to access it just using the ip?
That's not how Web Apps work, since you don't get a unique IP address assigned. You'll need to access it via yourname.azurewebsites.net or yourcustomdomainname.com - and then your requests are routed appropriately based on the name you provide.
If you absolutely needed a dedicated IP address, you'd need to deploy to a virtual machine.
When you host your web site on Azure web app it is bound to a virtual IP address that is shared with other web sites in the same app service plan. If you want to get a dedicated IP with your web site, please try to use Azure virtual machine with reserved IP. You could also choose App Service Environment
If you buy your custom domain, you can freely set DNS A records for that IP (it remains static). It sets binding of your domain to your web app. You can't access it directly by IP. Because on a given IP address and standard HTTP port 80, only one web can be running.
Imagine your web app could be open by entering that IP. You would "block" port 80 for zillions of other stuff running there.
If you check Properties blade there you will see a number of outbound IP addresses. If you consume some requests from web app / job / ... and have IP restriction set on the other side - you need to allow all these IPs.
As David suggested. If you really need a static IP - you need to run VM and set IP address as static or set VNet for web app.
I have configured my Azure Web Apps and App Hosting Plan to connect via Point-to-Site gateway with my Virtual Network in Azure. I followed this article here:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/
I have a VM that is hosting DNS and my Virtual Network is configured to use this.
I want to be able to reference services running in my Virtual Network from my Web Apps via domain name and not by direct IP address.
It works fine if I connect using the VM's internal IP address eg 192.168.1.4. But, when I add a DNS A record pointing my-service.my-vnet.local to 192.168.1.4, my web app can't resolve the domain.
I attempted to check the DNS settings of the web app and it appears my internal DNS server is not one of the hosts configured. Here's the code I ran in my web app:
from nic in NetworkInterface.GetAllNetworkInterfaces()
let props = nic.GetIPProperties()
select String.Join("; ", props.DnsAddresses.Select(x => x.ToString()))
Is this possible to do? If so, can anyone suggest what I need to do?
From everything we have tried and talking with Azure folks at Ignite, Web Apps (point-to-site) were not designed to be joined to a domain. That said, we are successfully using web apps to access on-premise web services using a binding with a fully qualified domain name (FQDN) and securing that traffic be certificate.
Due to the way web apps connected to a VNET works, you will not be seeing the DNS servers when you list all interfaces. If in command line you run the command:
SET WEBSITE_
You should see an environment variable that holds your configured DNS servers. If not, you should go to your web app in the Azure Portal, to the Vnet section, and hit the "Sync Data" button.