Denylist client IP in Azure Application Gateway - azure

We are using Azure Application Gateway for our site, and we are getting few people scraping our site. We want to block their IP at gateway level, as we don't want to configure the same blocks in every web service.
We can not find the way of blocking IPs using only the gateway or its virtual network. Had anybody the same problem and can illuminate our path?

You could deploy Application Gateway in a virtual network. If so, you will have a dedicated subnet for this Application Gateway. This subnet can only contain Application Gateways. You could associate an NSG to this subnet. If so, you could restrict inbound and outbound traffic from this Application Gateway subnet via inbound or outbound security rules in NSG. In this case, you could add an inbound security rule to backlist your clients' IP.
Refer to DOC, Note:
Network Security Groups (NSGs) are supported on the application
gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
Hope this helps.

Related

Is there a VPN solution in Azure that can assign a static public IP to the clients connected for me to achieve full tunnelling? may be in P2S VPN?

Is there a VPN solution in Azure that can assign a static public IP to the clients connected for me to achieve full tunnelling? may be in P2S VPN?
P2S VPN does not have full tunneling. Is there any other alternate solution?
• No, you can’t assign a static public IP address to the clients for a VPN solution in Azure as the client address pool that needs to be defined while deploying a VPN gateway in Azure is a subnet of the IP address spaces that the virtual network is created out of.
But you can configure forced tunnelling in your Azure virtual network on your VPN gateway subnets as illustrated below. In the below image, forced tunnelling is shown for Site-to-Site VPN scenario but it can also be implemented for Point-to-Site VPN scenarios in the same way. The Frontend subnet is not force tunneled. The workloads in the Frontend subnet can continue to accept and respond to customer requests from the Internet directly. The Mid-tier and Backend subnets are forced tunneled. Any outbound connections from these two subnets to the Internet will be forced or redirected back to an on-premises site via one of the Site-to-site (S2S) VPN tunnels as shown below.
This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while continuing to enable your multi-tier service architecture required. If there are no Internet-facing workloads in your virtual networks, you also can apply forced tunneling to the entire virtual networks.: -
• Also, please note that you can *configure the above for your P2S clients by securing the Internet traffic via Firewall Manager and advertising the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet. For this purpose, setup the Azure Firewall Policy to allow P2S traffic to Internet and to advertise all the traffic from 0.0.0.0/0 to your VPN clients, you would need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below documentation: -
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling
Also, you can add the code below in your ‘azurevpnconfig.xml’ file that can be directly downloaded from the templates section if the above said subnets cannot be added in ‘Default Routes’ on the portal.
<clientconfig>
<includeroutes>
<route>
<destination>0.0.0.0</destination><mask>1</mask>
</route>
<route>
<destination>128.0.0.0</destination><mask>1</mask>
</route>
</includeroutes>
</clientconfig>

Azure Internal ASE with Firewall

I am running a Linux container as a web app in an internal ASE.
The ASE is deployed to a Vnet (secondary Vnet) which is peered to a another Vnet(Primary vnet) where an Azure firewall exists.
1.I have Enable service endpoints to SQL, Storage, and Event Hub on your ASE subnet.
2.From the Azure Firewall UI > Rules > Application rule collection, Set App Service Environment FQDN Tag and the Windows Update Tag.
3.From the Azure Firewall UI > Rules > Network rule collection, Set the ports to 123.Create another rule the same way to port 12000 to help triage any system issues.
4.Create a route table with the management addresses from App Service Environment management addresses with a next hop of Internet, set 0.0.0.0/0 directed to the network appliance ( Firewall internal IP address)
5.Create Application rules to allow HTTP/HTTPS traffic (Note: address is the IP of the ILB of the Internal ASE, since I cant find an IP for the web app itself)
I don't seem to be able to reach the web app. Any guidance will be appreciated. is the problem that I created an Internal ASE?
I am trying to isolate the ISE and control external access to it via a firewall.
MSDocs I referenced :https://learn.microsoft.com/en-us/azure/app-service/environment/firewall-integration
Yes, I think it's the problem with internal ASE. Also, the referring document is intended to lock down all egress from the ASE VNet. Inbound management traffic for an ASE can not be sent through a firewall device.
There are a number of inbound dependencies that an ASE has. The
inbound management traffic cannot be sent through a firewall device.
The source addresses for this traffic are known and are published in
the App Service Environment management addresses document. You can
create Network Security Group rules with that information to secure
inbound traffic.
In addition, since it's an internal ASE, it is deployed in your VNet with ILB. You can not directly access its backend web app over the Internet, you need at least a public-facing Ip address (external VIP )or other public-facing services(Public Azure application gateway) in front of it.
It will like this,

Azure App Gateway V2 cannot be configured with NSG

I have provisioned App Gateway with WAF V2 SKU. Then, I have configured back-end pool to point to WebApp and added IP restrictions to allow only traffic from WAF IP. Then, i am attempting to add NSG to the provisioned Subnet to further restrict traffic to the Frontend IP address. I am getting an error (see below). Per Application Gateway FAQ this should be possible, but having trouble. Here is are the details of the deployment error:
Network security group /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/networkSecurityGroups/BannerCIDRNsg blocks incoming internet traffic on ports 65200 - 65535 to subnet /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/virtualNetworks/dbt-sc-platform-rg/subnets/default, associated with Application Gateway /subscriptions/49c19f96-135d-4599-ae34-fd9087ce2bf8/resourceGroups/dbt-sc-platform-rg/providers/Microsoft.Network/applicationGateways/dbt-sc-appgw. This is not permitted for Application Gateways that have V2 Sku.
The error message displays that you need to add incoming internet traffic on ports 65200 - 65535 to subnet-default in your Network security group-BannerCIDRNsg.
Per Application Gateway FAQ, you can whitelist Application Gateway access to a few source IPs.
This scenario can be done using NSGs on Application Gateway subnet. The following restrictions should be put on the subnet in the listed order of priority:
Allow incoming traffic from source IP/IP range.
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway V1 SKU and ports 65200 - 65535 for the V2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and
inbound virtual network traffic (VirtualNetwork tag) on the NSG.
Block all other incoming traffic with a Deny all rule.
Allow outbound traffic to the internet for all destinations.
I want to add on #Nancy's answer, that actually, as per the documentation, there is no need to allow traffic from Any protocol. Allowing TCP traffic is enough.
There is also no need to allow traffic from Any source, it is sufficient to allow traffic from GatewayManager service tag.
You must allow incoming Internet traffic on TCP ports 65503-65534 for
the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2
SKU with the destination subnet as Any and source as GatewayManager
service tag. This port range is required for Azure infrastructure
communication.
So, I created the security rule as follows:
It should also be noted that:
These ports are protected (locked down) by Azure
certificates. External entities, including the customers of those
gateways, can't communicate on these endpoints.
I was getting the error message "Subnet associated to gateway with v2 sku" when trying to associate a subnet containing a Gateway V2 WAF to an existing NSG.
Strangely though it was no problem navigating to the VNET -> SubNet and after clicking the given SubNet then associating the NSG to that SubNet.
To associate NSG to the subnet containing an application gateway, allow traffic from
source: 'GatewayManager', port: Any to Destination: 'GatewayManager' service tag, Destination port: 65503-65534
Traffic from the AzureLoadBalancer tag with the destination subnet as Any must be allowed.
Note: just be cautious that you don't add deny rule before these inbound rules, so give them a low priority no, to avoid accidental misconfiguration
Also,
Outbound Internet connectivity can't be blocked
Reference : https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#network-security-groups

Azure network security group and Application Gateway

I have the next azure setup:
Application gateway balancer with it's own vnet .
Two vms in Application gateway backend pool which have their own vnet and a network security group applied to the vms.
Main problem:
How can I instruct the network security group to allow http/https traffic only from the application gateway ?
What I've tried :
a) added inbound rule in network security group with source having tag AzureBalancer . Is not working . Probes are telling me that the vms are in an unhealthy state.
b) I've peered the two vnets and I've added an inbound rule having source tag VirtualNetwork . Same as above, probes telling me that the vms are in an unhealthy state.
c) I've added an inbound rule in nsg to allow traffic only from the public ip of the application gateway. This is working fine , probes are seeing the vms in a healthy state.
The only problem is that the public ip address of the application gateway is dynamic and it cannot be made static.
So when the ip will change my rule will not work.
I am curios to find out how to make this setup works.
All the examples I saw on azure documentation site are with one single vnet with multiples subnets.
If there is an NSG on Application Gateway subnet, port ranges 65503-65534 should be opened on the Application Gateway subnet for Inbound traffic. These ports are required for the backend health API to work.
I've copied the above sentence verbatim from this document: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics
... as I ran into the same issue. After adding the above to my NSG, my health-check probes worked.
The only problem is that the public ip address of the application
gateway is dynamic and it cannot be made static.
You are right, for now, we can't set application gateway public to static.
And we can't add NSG inbound rules with application gateway FQDN.
As a workaround, we can use internal IPs as backend pool members, connect them with vnet peering or VPN gateway.

Why does Azure Application Gateway require an empty subnet

When I try to execute New-AzureRmApplicationGatewayIPConfiguration to create an application gateway, I get an exception:
Subnet xxx cannot be used for application gateway yyy since subnet is not empty.
I encountered this error when I tried to add the application gateway to the same subnet as the backend servers.
Why is this not an option? Does each gateway require a separate subnet? What is the recommended configuration?
Related questions:
The documentation says backend servers can be added when they belong to the virtual network subnet. How can a back-end server belong to the virtual network subnet of the application gateway if the application gateway must be in a separate subnet?
How can the application gateway be configured without requiring a public IP address on the backend servers?
The application gateway must be in a subnet by itself as explained in the documentation, hence the reason it is not an option. Create a smaller address space for your application gateway subnet (CIDR 'x.x.x.x/29') so you're not wasting IP addresses unnecessarily.
It's a good practice to strive for a multi-tier network topology using subnets. This enables you to define routes and network security groups (ie: allow port 80 ingress, deny port 80 egress, deny RDP, etc.) to control traffic flow for the resources in the subnet. The routing and security group requirements for a gateway are generally going to be different than routing and security group requirements of other resources in the virtual network.
I had the same issue, so my virtual network was 10.0.0.0/24 which was not allowing me to create a separate subnet. I solved the issue as we added another address space into the azure virtual network e.g. 10.10.0.0.24, then created a new subnet so that the application gateway was happy to work with the backend servers.

Resources