I have setup a Azure Application Gateway in front of an Azure Web Application. I have added a IP restriction on Web app allowing access only from the Application gateway's public IP address. This works fine but the when I add the public IP address on the browser it re-directs to the web app's URL. How can I stop the application gateway redirecting to the web app URL but to return the response against the public IP?
I have deployed MVC web application behind Application gateway with following settings and when I type Ip address of application gateway, it shows web application on application gateway IP
Custom probe was automatically added when I saved page after selecting "HTTPS" and "Use for App Service" option.
Backend pool where WebApp was selected
if you still see any issues then I will post steps to configure everything tomorrow.
It turns out that you first need to configure the custom domain to the webapp and once the propagation happens the CNAME record of the custom domain should be changed to map the FQDN of the Application gateway.
Related
I have an azure web app and its corresponding application gateway.
I have created a CNAME and pointed it to the DNS name of the app gateway.
Now when I access the site using the CNAME, it reaches the app gateway and redirects me to the web app(actual web app URL ...azurewebsites.net).
Is it possible that using the CNAME, I should be able to reach the web app i.e. on the address bar it should be displaying the same CNAME to reaching the web app(it should not redirect to the web app)
Thanks.
You could configure the custom domain like sub.example.com to the web app first, then you could add such custom domain in the hostnames of Azure web app service. Once the DNS propagation happens, the CNAME record of the custom domain in the DNS zone should be changed to map the FQDN of the Application gateway like xxx.cloudapp.net.
I test this using web app service without HTTPS redirection. HTTPS Only is off. Azure Application Gateway is also working for HTTP. If you want to use HTTPS for the web app, you need an SSL cert for the custom domain.
Tutorial: Map an existing custom DNS name to Azure App Service
Update
In this case, you properly set HTTPS only is on in the custom domains of Azure web app service. For me, I could still set "Pick up hostname from the backend pool" under the HTTP setting even I do not add the hostnames as my previous reply. The redirection actually is related to the "HTTPS only" under Custom Domain in Azure web app.
I got this issue fixed:
The redirection that was occurring was due to a setting "Pick up hostname from the backend pool" under HTTP setting of application gateway. Removing that setting, using the CNAME we were able to reach the web app but we were getting an error "Too_Many_redirects" and this was resolved once the "HTTPS only" is set to off on the web app under Custom Domain as this redirection was configured at the gateway level.
I have created a Webapp and have added an IP restriction so that it can only be accessed via the Azure Application Gateway Public IP.
In the Application Gateway, I navigated to the BackEnd Pools, clicked to ADD backend pool and copied the web app URL e.g. https://mywebapp.azurewebsites.net, it complained it only wanted FQDN so I removed the https:// and entered in mywebapp.azurewebsites.net
I then navigated to my Application Gateway and copied the public IP address of the gateway and entered it in my browser to test the app but it won't see the web app, I get the error "This site can’t be reached."
Have I missed a step, is the FQDN incorrect? Do I need to use a custom Domain?
One of the things I would look for is if a listener and a rule has been created. This is required to enable the application gateway to route traffic appropriately to the backend pool.
More info here -
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-powershell
I tried adding an existing app service web app to the backend pool like you mentioned and realized that it was not adding the listener/rule for it. When i used the powershell script as mentioned in the link above which creates a listener and a rule , i was able to successfully hit backend pool website when i browsed using the Application Gateway public ip/dns.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-arm
Steps I followed:
Created an web app (registration-ceus.azurewebsites.net)
Created a traffic manager profile, added web app as an endpoint (registrationtmp.trafficmanager.net) Traffic manager opens the web
app. Issue I face while adding custom domain. I have own a domain
(e.g myworkdomain.net)
I am trying to add subdomain to traffic manager profile (testregistration.myworkdomain.net).
testregistration.myworkdomain.net CNAME
registrationtmp.trafficmanager.net
Added CNAME for my web app:
awverify.testregistration.myworkdomain.net CNAME
awverify.testregistration.registration-ceus.azurewebsites.net
When trying to add the Custom domain awverify.testregistration.myworkdomain.net to my web app, web app
does not validate the domain name. It always gives option to Add
Hostname.
When I try to access testregistration.myworkdomain.net, gets 404 error.
The app service is in Standard tier. What step am I missing or doing wrong?
I have created an application gateway with WAF (default detection mode) in an Azure Resource Group (no ASE) with an App Service Web App backendPool member/target MS link (followed instructions to the letter both via the Azure Portal and via PowerShell).
Im not using any custom domains, just the basic config with my backendPool member being an Azure Web App ie mywebapp.azurewebsites.net (Web App is a basic ASP.NET test site which runs fine on its .azurewebsites.net address).
MS application gateway documentation states they now support App Services as backendPool targets (FQDN/which I use).
My basic httpSettings, basic listener and rule are all setup correctly as far as Im aware (HTTP port 80.
So in essence my app gateway should listen on port 80 of the public IP attached to it and forward any incoming requests to the backendPool member (Web App).
But when I try to access the gateways public IP (or DNS address) I keep getting an 'Azure 404 Web Site not found.' page/error.
Strangely if I stop the Web App from the Azure portal I get a 502/bad gateway error until I restart the Web App where the 404 page returns.
I dont know if Im missing anything here? Does anyone have any suggestions at all? I cannot seem to get this working.
You probably are missing a couple of configuration elements. Backend http settings should require 'PickHostNameFromBackendAddress' flag. You should also use a custom probe which has 'PickHostNameFromBackendHttpSettings' flag set. The end to end PowerShell documentation is at link which details your scenario.
What am I trying to do
I have to azure apps deployed as App services. To make rest post easy let's call them "blog" and "landing_page". Both of them are hosted, so they URL are blog.azurewebsites.net and landing_page.azurewebsites.net.
I want to configure "something" in Azure with following rules:
if user access http://mydomain/ - content of landing_page.azurewebsites.net
if user access http://mydomain/blog - content of blog.azurewebsites.net
What I tried
After reading documentation, I have to reject Traffic Manager because it works on DNS level. From the other two I decided to use Application Gateway, because it should work on eny Endpoint (Any Azure internal IP address, public internet IP address, Azure VM, or Azure Cloud Service).
I configured my Application Gateway setting backend to: landing_page.azurewebsites.net. But in "Backend health" the app status is unhealthy. I tried also:
blog.azurewebsites.net - unhealthy
www.wp.pl (polish news portal) - is working
gazeta.pl (polish news portal) - is working
stapp.space (my blog) - this is same as piotrstapp.azurewebsites.net and status is unhealthy
Question :)
What did I wrong? Maybe should I use something else on Azure? Or am I missing something?
Make sure that custom probes is turned on and configured in the HTTP settings of the WAF for your site. If you don't the Application Gateway will try to go to the IP of the App Service Environment without passing a Host header, which won't work and will throw the probe into an unhealthy state resulting in a "502 Gateway Proxy" error.
There is a great article here
You may want to check out Azure's application gateway path-based rules function:
Create a path-based rule for an application gateway by using the Azure portal