From the Azure API management pricing page I see that Virtual Networks aren't supported besides the Developer and Premium tiers.
Currently with my developer tier subscription when configuring the VN of an APIM I can choose between "off", "External" and "Internal". With the other tiers, can I still use an External VN or no VN at all?
When I try to connect a kubernetes cluster/VM to the APIM, I have to configure the APIM with an external VN. So if that's not possible with the other subscription tiers, is it still possible to connect to a kubernetes cluster?
VNET Support (and hence the options) are available only in the Developer and Premium Tiers.
You can still use APIM by routing requests from APIM to the AKS load balancer using a static IP and overriding the Host header as required. If possible, you could also use Azure Application Gateway as an ingress controller too.
When taking the load balancer approach, you could setup a Network Security Group to allow traffic only from APIM (and any other IPs/Services) to your AKS nodes.
When taking the Application Gateway approach, you could setup IP restrictions to APIM.
You should be able to setup a similar source IP rule on your own ingress controller too instead of an NSG rule I suppose.
Related
If I am setting up an Azure SQL Database in a vnet which Azure App Service and Azure Function will access. Is using both Subnet Delegation and Service Endpoints the right way to go? I didn't fully understand the documentation.
Regarding subnet delegation, I read this Microsoft article and this stackoverflow post, which stated:
When you delegate a subnet to an Azure service, you allow that service to establish some basic network configuration rules for that subnet, which help the Azure service operate their instances in a stable manner.
That sounds like a good thing but makes me wonder how it worked efficiently w/o subnet delegation.
As for Service Endpoints, I read this Microsoft article, which states:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
They both sound like they have the same benefits and I'm struggling to understand the difference. I suppose the larger question is should I enable both for the simple architecture outlined above.
In the Microsoft service endpoints documentation they also mention:
Microsoft recommends use of Azure Private Link for secure and private access to services hosted on Azure platform. For more information, see Azure Private Link.
For some reason that seems like an Azure to on-premise thing.
• You cannot use a ‘Subnet Delegation’ along with a ‘Private endpoint’ since that subnet is delegated for the said service, in your case, the Azure SQL Database. Through a subnet delegation, you can define the NSG association for it, as well as associate multiple delegated subnets to a common NSG. You can also define the IP Address space for the delegated subnet, the route table association with it, the custom DNS entry configuration in Azure DNS as well as define the minimum number of IP Addresses available for that delegated subnet. Similarly, with regards to service endpoint, these stated functions are not available.
• In service endpoint, you do not have control over the routing mechanism as well as the IP address related allotment, reservation, or configuration. Also, managing DNS entries for the resources managed through them and controlling them through a firewall or NAT gateway isn’t required unlike a subnet delegation because all these things are managed by Microsoft Azure’s backbone network on your behalf.
Thus, both have their own features and specifications for enabling you to configure according to your own requirements.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
Yes, you will have to create a firewall rule to allow the access from on-premises system to Azure SQL Server/Database and configure the service endpoint accordingly to allow the VPN client IP Addresses for accessing the same over public internet.
Also, through Azure private link, you won’t be able to connect from on-premises to Azure as it uses a private IP address and a private DNS zone entry related to it to connect to Azure resources in the same virtual network.
To know more regarding the configuration of Azure service access from on-premises network, kindly refer to the below given link: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-service-access-from-on-premises
Also, refer to the below snapshots regarding the configuration and selection of service endpoint for a particular subnet: -
I have my APIs hosted on a azure windows virtual machine. I want that these APIs should be privately consumed by API management. If I make VM and APIM in same VNET and configure APIM as internal then my APIs exposed by APIM will not be accessed by public web app and If I make my APIM external then my developer portal will be publically accessible, which I dont want.
Is there any policy or outbound/inbound rule that can be configured so that APIs from VM, and APIM developer portal is not publically accessible?
From the document, if you select internal option in the virtual network of API Management services,
the API Management gateway and developer portal are accessible only
from within the virtual network via an internal load balancer. The
gateway can access resources within the virtual network.
In this case, you can deploy your APIM into a vNet following the common network configurations---dns and NSG rules. The API hosted VM should be able to resolve the develop portal with a private IP address.
I have a resource (specifically, a Kubernetes service deployed to my AKS cluster) to which I want to limit access. I've looked around through the MSDN documentation on What is Azure Virtual Network?, VPN Gateway design, and more, but I don't see a clear way that I can either:
Require AAD authentication before a specific IP/Port is accessed, or
Whitelist access coming from a specific IP/subnet (eg, specifying CIDR format www.xxx.yyy.zzz/nn that should get access).
There seem to be ways to restrict access that require I install some a RADIUS VPN client, but I don't want to require this. It seems like there are a ton of hoops to jump through -- is there a way I can block all incoming traffic to my AKS cluster except from specific AAD roles or from specific IP ranges?
It would be helpful to understand what you intend to use AKS for (web site, batch computing, etc.)
First you should fully explore the networking options offered by the service itself. Start with locking down to your personal IP address and the service will likely (based on Azure docs) append a deny-all to the end of your networking rules. To get the IP address it sees you from, try IP Chicken.
I offer two additional options: Application Gateway or API Management.
One way to lock this down, based on the information you shared, is Application Gateway.
Application Gateway (Product Page)
Ingress Controller for AKS
"Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an Azure Kubernetes Service (AKS) cluster." - from Azure Docs
API Management
You also have API Management paired with policies on that resource. It can restrict by AAD (check pricing tier for details) and IP address (on any pricing tier).
If the organic networking options of AKS don't cover your use case, I would choose API Management. Price and options are better for what it seems you are aiming for.
Originally I tried to restrict access from an app service to blob storage using IP addresses, however it turned out that you can only do this using a Virtual Network: Firewall access from Azure app service to blob storage
I want to be able to achieve this without setting up a point-to-site VPN. The steps I have taken to set up a virtual network in Azure are as follows:
Created Network security group "securitygroup-frontend", add custom
inbound rule called Web with Source: Service Tag, Source service tag:
Internet, Source port ranges: *, Destination : Any, Destination port
ranges: 80, 443, Protocol: Any, Action: Allow, Priority: 100
Created Virtual Network with address space 192.168.0.0/23 and subnet called frontend address range 192.168.0.0/26 with network security group: securitygroup-frontend and subnet delegation to Microsoft.Web/serverFarms and service endpoints Microsoft.Storage
Went to app service -> Networking -> Configure VNet integration ->
Add VNet preview and select the subnet you created
Went to Storage -> Firewalls and virtual Networking -> Configure VNet integration -> Select 'Selected networks' and add in the virtual network and subnet just created.
I have had to move Azure diagnostics and logs such as for key vault, service bus and sql azure to its own blob storage as these require blob storage outside of a virtual network and can't be made to work inside. The app service is in the Standard plan. The app service, blob storage and virtual network are all in the same region.
This question and answer does not provide any insights: https://social.msdn.microsoft.com/Forums/azure/en-US/9f4d8aeb-68a6-4ec1-9e11-bee2d1301792/allow-access-to-azure-storage-account-only-from-an-app-service?forum=windowsazurewebsitespreview
The above steps though block off access from the app service to blob storage and any assets within return an error: (403) Forbidden. If I remove the Virtual network from blob storage it works fine. What am I doing wrong?
Yes, you can do this using a VNet but you need to deploy the web app in a VNet with App Service Environments. You can not do this with VNet integration. Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. However, web app service in a regular app service plan is multi-tenant. With ASE, you could deploy it into your VNet.
You could get more details and explanation from this similar thread. According to a comment from silent, you could also consider deploying your web app inside a container which could be deployed in a VNet with some restriction.
Update
Sometimes, the deployment order for networking is important. In your case, you enable service endpoint before VNet integration. I suggest removing NSG restriction in integrated app subnet VNet for a test. Then you could check the following steps.
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the web app is restarted, you could enable service endpoint and subnet delegation for this subnet. In the end, you could add the subnet in the firewall of the storage account.
The new version is in Preview and not GA currently. It might be not all functions available. you could also check the following characteristics.
No gateway is required to use the new VNet Integration feature。
You can access resources across ExpressRoute connections without any additional configuration beyond integrating with the ExpressRoute connected VNet.
The app and the VNet must be in the same region.
The new feature requires an unused subnet in your Resource Manager VNet.
Your app must be in an Azure App Service deployment that is capable of scaling up to Premium v2.
Your App Service plan must be a Standard, Premium, or PremiumV2 plan Production workloads are not supported on the new feature while
it is in Preview
The new VNet Integration feature doesn't work for apps in an App Service Environment.
You cannot delete a VNet with an integrated app.
Route tables and global peering are not yet available with the new VNet Integration.
One address is used for each App Service plan instance. Since subnet size cannot be changed after assignment, use a subnet that can
more than cover your maximum scale size. A /27 with 32 addresses is
the recommended size as that would accommodate an App Service plan
that is scaled to 20 instances.
You can consume Service Endpoint secured resources using the new VNet Integration capability. To do so, enable service endpoints on the
subnet used for VNet Integration.
I'm struggling with how to use Azure API management together with App Service Environment v1 (aka ASEv1), i.e. how to set the things via Azure portal.
I have ASE with one app service (target is several of them) and I have APIM gateway pointing to the public host name of the service.
What I have to do to make the app services in ASE VNet to be accessible only through the APIM gateway, to keep the back-end services hidden?
I need to be able to manage APIM from Azure portal and to be able to access the services directly via FTPS for deployment, collecting logs, etc.
--
I've created a new subnet for the APIM and put it in the ASE VNet , where already ASE subnet was. Now I probably have to set some NSG rules but I'm not sure how and if it is all I'm supposed to do.
The second thing I'm not sure is how to change the APIM API settings. It now points to a public URL of the service - I do not know if it will be available after NSG changes.
There are a couple of options, depending on what you really want. If you're fine having your backend services visible by outside but not callable, you can employ any means of authentication between APIM and backend services:
Shared secret - header/query param
Client certificate authentication
IP filtering on the side of backend services
If you want to really hide backend services from outside, you'll have to put APIM and ASE into same VNET.
Following seems to work, although it may need some fine tuning.
In short, each layer put into separate external VNet with own Network Security Group (NSG), using caller's public IP address to manage access to VNet:
back-end service web app in ASEv1 VNet "vnet-ase", with associated NSG "nsg-ase"
APIM gateway put to a separate VNET "vnet-apim", with associated NSG "nsg-apim"
in nsg-ase allow access from public IP of APIM GW, to vnet-ase
nsg-apim will be used to manage connections to the APIM gateway