Azure ASE v2 - restrict network access for app services - azure

I have an ILB ASE v2 with WAF (public IP). The ASE has its subnet where all web apps reside. For obvious security reasons I think I need to lock down access from Internet and leave only HTTPS open. But when I do that I can't see app services info in the portal. So what should my NSG look like for this subnet?
Also, WAF has its own subnet. It doesn't have NSG assigned either. Should it have one?

When you add a NSG to the AppSercice subnet with Deny All internet traffic, it is blocking the portal to fetch information from App Device. Try adding a NSG rule with greater priority with source IP as Azure Cloud tag and allow it.
So you are blocking all Internet traffic and allowing Azure IPs for communication.
Let me know if it works.

Here's the resulting rules set for ASE subnet NSG:
you might want to add HTTP to it if you need it.

Related

Azure NetworkSecurityGroup rule for WebApp

I want to enable traffic from my webapp (that sits inside the VNET and has its private IP) to Application Gateway (that is deployed to the same VNET and has NSG attached to its subnet).
How can I do it?
If I add webapp outbound ip to NSG as allowed - traffic works fine, but I do not want to hardcode this ip.
If I add "Internet" service tag it works as well, but it is too broad for my taste.
I could not find any other relevant service tags for me (tried "AppServiceManager", "AppService" and "AppService.AustraliaEast").
Also checked this document (and had to update the filename to last Monday! :) ) but could not find the IP that worked for me (52.187.231.76).
Ideal solution would be to allow only VNET traffic, but this did not do the trick as well... All ServiceEndpoints are there.
Checked with Azure support. Unfortunately there is no service tags available to do this yet.
Workaround - to manually add security rules for each application that supposed to access Application Gateway to allow Outbound IPs.
To do so - go to azure portal, to the application that needs to be able to access App GW. Go to properties blade and copy Outbound IP addresses. Then go to NSG and create a new inbound security rule to allow access from all of those IPs (at least it can be 1 rule).
According to Azure support those IPs should not change unless you recreate the whole webapp and the app can only cycle through those IPs.

Azure Internal ASE with Firewall

I am running a Linux container as a web app in an internal ASE.
The ASE is deployed to a Vnet (secondary Vnet) which is peered to a another Vnet(Primary vnet) where an Azure firewall exists.
1.I have Enable service endpoints to SQL, Storage, and Event Hub on your ASE subnet.
2.From the Azure Firewall UI > Rules > Application rule collection, Set App Service Environment FQDN Tag and the Windows Update Tag.
3.From the Azure Firewall UI > Rules > Network rule collection, Set the ports to 123.Create another rule the same way to port 12000 to help triage any system issues.
4.Create a route table with the management addresses from App Service Environment management addresses with a next hop of Internet, set 0.0.0.0/0 directed to the network appliance ( Firewall internal IP address)
5.Create Application rules to allow HTTP/HTTPS traffic (Note: address is the IP of the ILB of the Internal ASE, since I cant find an IP for the web app itself)
I don't seem to be able to reach the web app. Any guidance will be appreciated. is the problem that I created an Internal ASE?
I am trying to isolate the ISE and control external access to it via a firewall.
MSDocs I referenced :https://learn.microsoft.com/en-us/azure/app-service/environment/firewall-integration
Yes, I think it's the problem with internal ASE. Also, the referring document is intended to lock down all egress from the ASE VNet. Inbound management traffic for an ASE can not be sent through a firewall device.
There are a number of inbound dependencies that an ASE has. The
inbound management traffic cannot be sent through a firewall device.
The source addresses for this traffic are known and are published in
the App Service Environment management addresses document. You can
create Network Security Group rules with that information to secure
inbound traffic.
In addition, since it's an internal ASE, it is deployed in your VNet with ILB. You can not directly access its backend web app over the Internet, you need at least a public-facing Ip address (external VIP )or other public-facing services(Public Azure application gateway) in front of it.
It will like this,

Denylist client IP in Azure Application Gateway

We are using Azure Application Gateway for our site, and we are getting few people scraping our site. We want to block their IP at gateway level, as we don't want to configure the same blocks in every web service.
We can not find the way of blocking IPs using only the gateway or its virtual network. Had anybody the same problem and can illuminate our path?
You could deploy Application Gateway in a virtual network. If so, you will have a dedicated subnet for this Application Gateway. This subnet can only contain Application Gateways. You could associate an NSG to this subnet. If so, you could restrict inbound and outbound traffic from this Application Gateway subnet via inbound or outbound security rules in NSG. In this case, you could add an inbound security rule to backlist your clients' IP.
Refer to DOC, Note:
Network Security Groups (NSGs) are supported on the application
gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
Hope this helps.

Azure NSG rules for traffic from an Azure Cloud Service

I have an Azure cloud service and a Azure Kubernetes Service(AKS). AKS is within a NSG. I would like to create rules in network security group(NSG) to restrict inbound traffic from only the specific cloud service.
Since cloud service IP could change, I would not be able to base the NSG rules on IP. Also, I do not see cloud service in the azure service tags list in NSG.
How do I achieve this NSG rules configuration ?
It seems that you want to restrict inbound traffic from only the specific cloud service to AKS. Conversely, you can add inbound rules to allow the traffic that you want to access to AKS, Then the traffic you have not added the allowing rule will be denied since there is a DenyAllInBound inbound rule in each NSG. The traffic filters according to the priority. (High priority is small value) in the inbound rule.
Update
If you only allow one specific cloud service in the inbound traffic, you just set the source to the specific IP address in the inbound rule of yours NSG. The assigned IP address for the cloud service doesn't change unless you stop and restart provision of the service. If you ensure to know the fixed IP address in your subscription even if you deprovision and reprovision, you can use a Reserved IP address for Cloud Services. Ref: Static IP for Cloud Service on Azure
Reserved IP addresses (Classic)

Azure Network Security Group inbound filter for Azure Search

In my Azure VNET I have an AppService that's using Azure Search. I'm trying to use NSG Inbound Rules to restrict access to the Azure Service using IPs. Unfortunately, in the NSG configuration blade, I can specify the destination only using the IP or VNET. How can I isolate the traffic to Azure Search?
Thanks
Azure NSG doesn't support specify Azure Search as the source/destination.
For now, Azure NSG only support IP Address and Service Tag as the source. And the Service Tag contains Intranet, a specfic Azure VNet, Azure Loadbalancer,Azure Traffic Manager , Storage and SQL.
For the destination, as you seen, it only support IP address and VNet. This is because Azure NSG can only be associated to VMs, NICs, VNets and subnets. These resources are all IaaS services.
However, Auzre Search is a PaaS service, it doesn't have VNet in portal which can be associated to NSG. So, it cannot used as the destination of NSG.
Hope this helps!
There are options now, 4 years later. See "Security Overview for Azure Cognitive Search".
https://learn.microsoft.com/en-us/azure/search/search-security-overview
It should be relatively safe (but not undetectable) on the *.windows.net space, there would be WAF mitigations. People use shared secrets for SSH after all. It is a matter of looking after those keys as well.
No cheap solution, but you are presumably paying by the hour for the search service in any case. Firewalls, private endpoints, key vaults, it all adds up.

Resources