How to allow users over VPN to access Azure Web App - azure-web-app-service

We have an Azure Web App and Azure VPN, we've locked down the web app so it's accessible internally only by granting/restricting access via IP addresses (via Access Restrictions page). However users over our VPN are not able to access the web app - when they connect over VPN, the user's external IP address is not from our internal network. We do not want to whitelist everyone's IP address.
If we had the internal IP address of the web app, we have a few options we could try, but we assume this is not available to us.
How would we allow access to a web app for users over a VPN?
Is this something API Management would solve?

If you don't want to whitelist everyone's IP address. You could involve front-ending the Web App with an Azure Application Gateway and restricting access to the Web App such that only connections from the Gateway are allowed.
Azure Application Gateway is a web traffic load balancer. It has a public or a private frontend or both backends, it must deploy in a dedicated subnet. The subnet also supports to restrict the network inbound and outbound traffic with NSG. In this case, you can deploy a private app GW, then the users over VPN will send the HTTP/HTTPS requests to the APP GW frontend, the APP GW receives the requests via Listener and routes the traffic to the appropriate backends based on the routing rules. An application gateway can communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed. See supported backend pools and how an application gateway works.
You could get more references from the third way in this blog.

Related

App Service VNET integration for outbound traffic: can it reach Internet endpoints?

I deploy my web application to an App Service instance on Premium tier. My web application makes outbound requests to external resources on the Internet.
In order to secure the connection with one of these external resources so I can reach it with a private IP address, my plan is to create a Site-to-Site VPN from Azure to Oracle Cloud Infrastructure (where the external resource resides). Then, I plan to use the VNET Integration for outbound traffic and connect my App Service to my VPN.
My question is - will the web application still be able to reach the other external resources on the Internet with their public IPs? I believe the answer is related to routing tables but I can't wrap my mind around it.
Just because you integrate a Regional VNet (I'm assuming) doesn't mean the app service won't be able to make outbound connections. Pretty much like
When you integrate your app service with your VNet that has the site-to-site VPN, traffic from your app service will traverse the Azure network rather than going out to internet, assuming your app service is using an RFC1918 address for your infrastructure. If you want to secure the traffic even further, then your app service would need to be hosted inside an App Service Environment

Azure App Service - VNet Integration vs Private Endpoint vs Hybrid Connection

I have a .NET Web API running in Azure App Service. It needs to connect to the RabbitMQ service running on my On-Prem server. How should I establish that connection between Azure App Service and RabbitMQ service port?
Do I need to whitelist the outbound IP addresses of Azure App Service in my firewall for this change?
The outbound IP address of Azure app service might change, see when it will change.
So you could have two options:
Hybrid connection.
It makes outbound calls to Azure over port 443. Hybrid Connections provides access from your app to a TCP endpoint and does not enable a new way to access your app. As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination.
VNet integration and VPN gateway. With these methods, you can access the RabbitMQ service in a private network with a point to site or site to site VPN connection. VNet Integration is used only to make outbound calls from your app into your VNet. It doesn't grant inbound private access to your app from the VNet. In this case, If you want to use Private Endpoints for Azure Web App, then you need to either integrate with Azure DNS Private Zones or manage the private endpoint in the DNS server used by your app.

how to add forward proxy to azure app service

I have azure app service which runs .net core web api. This api access several external API s to get data and those external services has to whitelist the outbound ip addresses of my app service.
Azure app service has several outbound ip addresses and it can be change when upgrade/downgrade app service or when make internal changes like changing app service plan or resource group.
Is there any solution in azure to setup this app service behind a forward proxy ?, so i can share the IP of the forward proxy to external parties.
I think the best way would be to add all App services under a virtual network and create a Virtual Network Gateway to all outbound connections.
This would potentially need below azure services to be created:
- Virtual network
- Subnet
- Virtual Network gateway
- Routing tables (to route traffic via Gateway)
A better way would be sharing a domain name rather than IP address. Here's how to configure it directly in the Azure Portal:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
You can also add an API Management in front of your web app and use it as API gateway and also apply policies on it.
https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain

How to set up azure application gateway to allow intranet access only and block the internet traffic?

I have a setup like this
There is a website hosted in a VM in IIS.
There is an Azure Application gateway in-front which redirects the traffic to the website hosted in VM.
There are the NSGs, VNet and subnets for the Application gateway.
The requirement is to restrict the access to the site from internet while allowing intranet access only?
Which version of Application gateway you are using, if V1, attach the application gateway to private VNET-->Subnet and only attach private ip to gateway. If it is V2 just remove the public IP listener.
Application gateway is a reverse proxy. If you add VM's private IP as backend pool of your Application gateway, then application gateway will use its instance IP to forward the http request to your VM.
So you can add a NSG to your VM's subnet to only allow Application gateway subnet IP range and deny internet traffic on port 80,443.
It is applicable for both V1 and V2 SKU.

Access Azure website by IP cause 404 error

I have an azure website that I can access by
myname.azurewebsites.net
In Azure dashboard, the IP is 104.214.237.135
When I try to access my website by IP I have a 404 error
I don't understand. My plan App Service is S1
Regards
Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.
App Service Environments use dedicated network infrastructures, so apps running in an App Service environment get static, dedicated IP addresses both for inbound and outbound connections.
Azure AppService IP addresses are shared between tenants and not guaranteed to be static. Your app is bound to the hostname, not the IP address. Unless you are using App Service Environment, you cannot use a static / dedicated IP address with Azure AppServices. You can add additional custom hostnames to your app.

Resources