Enabling Azure PaSs web app to communicate with Back office - azure

We are migrating our website on Azure platform in PaSS model. our website needs to communicate to our back office system using web services.
Currently the Back Office system is in a providers data center. and we have a firewall which enables web service communication for specific IP's
Now website going to be hosted on Azure with PaSS model, can some one please advice which IP address we need to add in whitelist of our Back office firewall.
Please note we want to set up our web app to be out-scaled to multiple instances.
will each instance will be able to communicate with out Back office ?
Regards
Umesh Deshmukh

can some one please advice which IP address we need to add in
whitelist of our Back office firewall. Please note we want to set up
our web app to be out-scaled to multiple instances. will each instance
will be able to communicate with out Back office ?
For a long-term, Hybrid Connection is much better. If you still want to know whitelist the outbound IP of web app service, you could find these possible outbound IP addresses in additional outbound IP addresses setting of the web app properties. You can't know beforehand which IP address a given app instance will use to make the outbound connection, so your back-end service must open its firewall to all the outbound IP addresses of your app. You could get more details about Inbound and outbound IP addresses in Azure App Service.

You could use Azure Service Bus Relay to connect your web app to your on-premises database that's behind the firewall. Azure service bus relay uses internet port 80 so there should be no firewall issues. Hope it helps.

Within an App Service is a feature called a Hybrid Connection, which can be found under the Networking section of the App Service you want to connect to your back office.
You will create a new Hybrid Connection via the Portal.
Complete the form with the information that pertains to the back office system you want to connect to. You should always use a Fully Qualified Domain Name for all your back office systems. If you are connecting to multiple back office systems, you will need one Hybrid Connection for each one.
A Hybrid Connection relies on a Service Bus Relay to communicate with your on-premises resources.
You will install the Hybrid Connection Manager in your on-premises systems and connect it to the Service Bus Relay you created in the portal.
Once the Hybrid Connection you create in the Portal has been connected to a Hybrid Connection Manager (called a Listener), the connection will show as Connected in the Portal.
Once connected, an application running in an App Service will be able to communicate with your on-premises resources as if they were sitting right next to each other. There is going to be some inherent latency involved with using a Hybrid Connection and this should be planned for. The latency we have seen using Hybrid Connections have been minimal and are usually barely noticeable. I have even heard that people are streaming media from on-premises systems using Hybrid Connections.
More information about Hybrid Connections can be found here.

Related

Azure: Only allow access to Web App from On-premises using VPN

I have a scenario regarding web apps on Azure that I can't wrap my head around.
I have a Web App (not ASE) that is connected to a VNET/Subnet and I have setup access restrictions on the Web App so that only traffic from that specific VNET/Subnet is allowed. This works as expected and a 403 is thrown when trying to access the web app from the internet.
My problem is that the Web App is no longer accessible from the on-premises setup anymore either, and I am unsure how to facilitate that. I don't like to use IP whitelisting to enable access, but I don't know the alternatives.
Anybody with experience on how to access a restricted Web App from an on-premises system? All the examples I could find are about accessing on-premise data from a VNET, not the other way around.
Illustration of setup:
On-premises server --> VPN Gateway in Azure --> VNET --> Web App in VNET -x-> Internet
Private Endpoints are your friends :)
I see you wanna set a S2S connection using vpn to allow access to your on-premises networks(subnets)
You should create a local network gateway representing your on-promises and also you should verify your firewall devices is supported by azure to make sure that the configuration works. Supported Vpn Devices by Azure

Remove public web access to Azure Web App

I have an existing on-premises web app that I'd like to migrate to Azure, just a basic migration to start with.
The current app is made up of two websites, a publicly facing front end web site and a private SOAP API site that is accessibly only via a VPN connection.
I can happily place the front end in a standard web app, but can't see a cheap way of hosting the SOAP API. I have used Azure Service Environments in the past, but this approach is expensive and a bit much for the early stages of this migration.
Ideally I would just host the SOAP API in an Azure Web Site and put a Gateway infront of it to manage VPN access. But I'm struggling to see if that is supported.
Is there anything else I can do here?
On the App Service hosting the API, have you looked into using the "Networking" blade to configure an IP restriction? This way you could limit access from only the IP address of your front-end.
Additional considerations:
There is no guarantee on a static IP for your front-end so you may need to consider range(s) based on what's in the DC you're app is hosted in (the IP doesn't change often but understand it's allocated from a pool that MS maintains). For this solution, you'd also need to include the IP of any client needing access for development/debug since it wouldn't use a VPN
You could also use a VNet to isolate services on the network and have more control over the configuration. Unfortunately you'd also need to deploy the app into an ASE which will add further costs. As a bonus, this would allow you to use a VPN as explained here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Good luck!
For example, you can create a P2S VPN from the web to Vnet, create another S2S or P2S VPN from on-premise to Vnet. And there can be an NSG associated to the Vnet, so you can manage the VPN access. I think the document Integrate your app with an Azure Virtual Network
could give you an idea. Unfortunately, you'd also need to deploy a VPN.

Connecting to an Hybrid connection served by the Hybrid connection manager

I've made a couple of tests and, as far as I've understood, Azure Relay requires the listener to explicitly connect to the bus. In our scenario, we would like to use it from a VM in Azure (or a different system on Internet) to connect to an existing On-Premise resource that cannot be modified to support Hybrid connections. I've tested also the Hybrid Connection manager and I wasn't able to find any documentation on how to create a client that connects to a Hybrid connection that routes the traffic to the target system by using the Hybrid Connection manager. It works from an Azure Web app, but they are not a viable solution in our scenario.
Is it possible to use the Hybrid connection manager from outside an azure web app?
I've digged two days more to find an answer and from this article, it seems it's not possible:
https://learn.microsoft.com/en-us/azure/biztalk-services/integration-hybrid-connection-overview
Hybrid Connections provide an easy and convenient way to connect the
Web Apps feature in Azure App Service (formerly Websites) and the
Mobile Apps feature in Azure App Service (formerly Mobile Services) to
on-premises resources behind your firewall.
And it sounds correct since they requires some adjustments at network level that are made under the hood by Azure: the mobile app makes a specific dns query and the azure internal dns returns a 'ghosted' ip that offers an entrance to the hybrid connection tunnel at the requested port. The hybrid connection then 'forwards' the tcp stream to the on-premise hybrid connection manager that proxy the request toward the real ip of the service. In this way, hybrid connections does not breaks any SSL connections since the target dns host is the same of the final SSL endpoint.
However, digging a bit more, i've found two examples that offer a pre-elaborate that it's helpful in my scenario:
Hybrid Connections Reverse Proxy
https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/hcreverseproxy
Port Bridge
https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/portbridge

Azure VPN Configuration - Connect to existing VPN

I'm trying to connect my Azure Web App to an Existing VPN.
To connect to this VPN I must give to the admin some configurations, but I'm not sure of HOW can I provide them from Windows Azure.
As far as I have understand is all about creating the Virtual Network and the "connect it".
Like:
Create Virtual Network
Create Public Gateway
Create Local Gateway
Connect something somehow
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
In my specific case, for the configuration, are required a lot of parameter that I don't know how / where to find:
VPN Endpoint IP
IKE (Encryption type, Authentication Method, Diffie-Hellman Group, Sec Lifetime, Preshared secret)
IPSEC (Perfect Forward Secrecy)
Network profile
In the docs there is a link to Check Point NGX and Microtik so I check out this tutorial:
https://blogs.technet.microsoft.com/netgeeks/2017/07/11/creating-a-site-to-site-vpn-ipsec-ikev2-with-azure-and-mikrotik-routeros/
But how can I get this parameter to perform the connection? Do I need to install extra software on my WebApp? How can I include my web app in the VPN?
And, is there any simplify way for Web App that does not include creating the whole infrastructure?
Thanks in advance
As EvilSnobu said, you can use Hybrid connections to connect your Azure APP service and your on-premises.
Hybrid Connections can be used to access application resources in other networks.
My understanding is that you have Azure Web App and you need to
connect to an on-premises network via VPN?
You are right, the Hybrid connection feature requires a relay agent in the network that hosts your Hybrid Connection endpoint.
You should download and install Hybrid connection manager (HCM) on your local machine and use it to connect to that app service.

Web Apps behind Azure Application Gateway - what is the IP of outgoing requests

I have multiple web apps on Azure that I want to put behind an Application Gateway in order to use a single domain name with path routing.
However, my web apps needs to connect to a db outside of Azure. So I wonder what will the IP of the requests from these web apps to the db would be? I hope it will be the gateway public IP so I only have to authorize one IP at my db provider but I don't find any docs to confirm it (or not).
So I wonder what will the IP of the requests from these web apps to
the db would be?
If you want your web apps to connect a database outside Azure, you may need App service Environment. Because the Web Apps need VNet to connect other resources. Also, due to the date base is outside Azure , you need to create VPN gateway to connect it. This connection is between the Web App and the database, not Application Gateway and Database.
So, the IP of requests from those Web Apps is not the IP of Application Gateway, It depends on the VNet in App Service Environment.
This picture explains how this environment works:
I hope it will be the gateway public IP so I only have to authorize
one IP at my db provider but I don't find any docs to confirm it (or
not).
Also, if you still want to use one IP to connect other resources, you can also add Internal Loadbalancer to achieve that.
You can see more details about Integrating your ILB ASE with an Application Gateway to help your deploy resources.
Please let me know if this answer helps.
I would suggest using the Azure Web App's Hybrid connection. This provides a TCP tunnel in a secured fashion between your azure web app and your SQL db. There is a service bus in between and you have to install the relay agent in your network that does the outgoing communication to this service bus.
Hybrid connection diagram
Details are at:
https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
The app gateway's public IP address can't be leveraged nor is it necessary to manage connections between Azure Web Apps and databases outside of Azure. The web apps have their own IP addresses.
On another note, my blog post may be useful to understand how the architecture and configuration between app gateway and azure web app.

Resources