I'm migrating a complete infrastructure over to Azure; it's been slow going as there's so much to learn and for every two steps forward, there seems to be one step back.
After what seems like an eternity, I think I've got it all sorted with one exception.
The architecture is as follows:
Azure Traffic Manager ==> 2 Azure Application Gateways (geo separated) ==> Azure App Service
A custom domain is used for the traffic manager and the gateways are listening for the same domain and, when the route matches, passing on the requests down to the app service.
The actual app itself is a ASP.NET MVC application and it uses forms authentication; and this is where the challenge happens.
When navigating to the public address: client.domain.com and hitting the website, it determines that the user is not authenticated and sends the browser to the login page... so far so good but, rather than using client.domain.com/login it uses the web-server dns name, so client.azurewebsites.com/login
How do I go about changing the behaviour so that it uses the external DNS name rather than the website name?
I can't setup custom domains on the app service as the only route into the site is via the gateway as this is also the firewall.
Is there some Web Config setting I can make? I'm looking at the outbound rewrite rules but these seem to only work on tags rather than 302 redirects.
Any thoughts would be most welcome.
You need to setup custom dns names on your webapp (you can use TXT record to verify dns name, so i dont see a reason why you can add it to the webapp). or you can alter the code.
In order to solve this problem, I had to make a code change to the web app itself. Not ideal but it worked.
What I had to do was to extend the code that redirects an unauthenticated request to the login page by sniffing for the X-Original-Host HTTP Header that the App Gateway forwards on. This contains the public facing DNS name. If the header is present and it is on a pre-approved white-list (so as to prevent any hijacking), then redirect the user to the login page for this domain, rather than the one the server is listening on directly (so use client.domain.com rather than client.azurewebsites.com)
Related
Is it possible to include a separate Azure App Service as part of another App Service?
For example lets say that I have a website called www.mycompany.com hosted in its own Azure App Service. I have another Azure App Service that I want to make it accessible by going to a specific URL in the first App Service.
So in other words when a request comes to www.mycompany.com/eu/ I want the content of this endpoint (/eu) to be served from the other app service. Would a load balancer work? The reason I want to do this is because the /eu endpoint has grown too big and I would like to separate that from the main site and host it on a separate app service. I hope my question is clear.
Thanks in advance.
For this purpose you could use Application Gateway.
In a certain sense it resembles a load balancer (it is a L7 LB indeed) as you indicated, but the product provides many additional features.
The following image, extracted from the product documentation, explains how it works:
Basically, as outlined in the aforementioned docs, when describing how an Application Gateway accepts a request (note they mention WAF in the explanation, an optional security threat prevention system):
Before a client sends a request to an application gateway, it
resolves the domain name of the application gateway by using a Domain
Name System (DNS) server. Azure controls the DNS entry because all
application gateways are in the azure.com domain.
The Azure DNS returns the IP address to the client, which is the
frontend IP address of the application gateway.
The application gateway accepts incoming traffic on one or more
listeners. A listener is a logical entity that checks for
connection requests. It's configured with a frontend IP address,
protocol, and port number for connections from clients to the
application gateway.
If a web application firewall (WAF) is in use, the application
gateway checks the request headers and the body, if present,
against WAF rules. This action determines if the request is valid
request or a security threat. If the request is valid, it's routed
to the backend. If the request isn't valid and WAF is in Prevention
mode, it's blocked as a security threat. If it's in Detection mode,
the request is evaluated and logged, but still forwarded to the
backend server.
The routing to one backend or another can be based on URL Paths:
You can find an example of this configuration in this related Microsoft article.
In your use case, you will need to define two backends, one for every App Service, and define routing rules as appropriate.
As indicated before, your DNS should point to the Application Gateway: it will handle the routing to one or other App Service based on the route, /eu/* or /*, provided by the client.
The order of the routes is important: once a rule is matched, it will be the one processed.
Application Gateway is a regional service: Azure Front Door leverages a similar functionality (and much more) globally.
Please, consider review the associated costs of these services.
I am answering my own question to hopefully help others in the same situation. This was simply done using a reverse proxy. This article explains everything you need to set it up - https://ruslany.net/2014/05/using-azure-web-site-as-a-reverse-proxy/
We have an app that allows customers to use their own custom domain to access their accounts on our app.
Currently, we are using the Azure App Services Custom Domain option & when a user shares their custom domain with us, we manually add it to the Azure Custom Domains list pointing it to their unique account URL. i.e. projects.customerdomain.com (custom domain) to customer1.anywhereapp.io (their account in our product 'Anywhere').
This approach has been working well.
We are now exploring if we can use Azure Front Door to make our app more responsive worldwide & one of the problems we are stuck at is how do we configure the custom domains of our customers to their specific Anywhere accounts?
I've gone through the official Azure FD Custom Domain documentation & I understand it allows us to add the custom domain pointing to one backend, in our case each custom domain also needs to point to a specific subdomain URL. i.e. customer1.anywhereapp.io
How do we achieve this?
Any guidance in the right direction is really appreciated.
Thanks
ST
Azure Front Door can forward the request Host header to the backend. So you can configure the custom domain both on Front Door and the App Service using DNS verification.
To do this, following the following steps:
Go to your App Service
Go to Custom Domains
Copy the Custom Domain Verification ID
Add a new DNS TXT record with the copied value: TXT asuid.projects.customerdomain.com. <verification id>
Go to your Front Door profile
Setup the Custom Domain as per the instructions on MSDN
Configure the origin as follows:
Name: <any appropriate name>
Origin Type: App services
Host name: <yourappservice.azurewebsites.net>
Origin host header: <blank> <-- leaving this empty will forward the request host header to the backend
Certificate subject name validation: Enabled
Now when a request is made to Front Door this same request is passed onto your backend including the custom domain (projects.customerdomain.com).
From the perspective of your app service, there's then no difference whether you use Front Door or not.
We've been struggling with this same issue. While Jeremy's solution sounds perfect, we are struggling with figuring out how to make it work when we have multiple app services running an app on the same domain.
For example, we have an app running in 2 separate app services/app service plans. It is the same application code. Let's say the domain is my.website.com
AppServiceEast (say its Azure non-custom domain is appserviceeast.azurewebsites.net)
AppServiceWest (say its Azure non-custom domain is appservicewest.azurewebsites.net)
They both run the app.
We've setup the front door pools/rules/etc without problem. However, we are stuck with 1 of 2 problems:
If we keep the origin host headers in place, anytime someone goes to my.website.com, their browser shows them ending up at appserviceeast.azurewebsites.net or appservicewest.azurewebsites.net
If we take those out, it should just keep passing along my.website.com - but the problem with that is that I can only make ONE of those app services have its custom domain be my.website.com. If I try to make them both work on that domain, I get stuck at the point where I'm trying to create 2 TXT records with different values for the same domain.
It feels like this has to be a common thing to want to do - setup a web app in multiple regions on ONE domain, and have Front Door split traffic between them as we see fit. However, we run into roadblocks at every turn.
when adding a custom domain to Azure app service, the system always trying to validate your custom domain, but this is very annoying for my case.
i have a CDN service which i have put my www. sub domain on it, and the now i am going to move my website to azure app service
actually i have the website up running already on app service, and the only thing i need to do is point the origin server address to app service in CDN setting
but, i need to set up a custom domain on app service for www. otherwise it won't load.
so the worst thing is, when i try to add the www record as custom domain, it validates if the record is really pointed to app service, which is definitely not possible because if i switch the domain really to app service,
first, i can not guarantee all user will get the dns change in same
time
second, then i need to switch www back to CDN after the
validation, then during this period, my app will work without cdn,
which will be a problem also
so is there anyway to add a custom domain without validation.
this is really stupid, i have to say
maybe i am stupid
found the way in office MS documents
here is the link
https://learn.microsoft.com/en-us/azure/app-service-web/app-service-custom-domain-name-migrate
you can set up a txt verification recond to pass the verification
I have a app which is a website builder. Lets say the app is on a azure webrole and its domain is called www.myapp.com.
I want to offer a service where users can use their custom domain with my app. So User 1 has a domain called ww.user1.com, user2 has www.user2.com etc. Whenever someone types www.user1.com, I want them to be able to see come to my my app ie www.myapp.com, with the browser still showing www.user1.com. You can assume I have complete access to the DNS and nameservers of these custom domains. I just need to understand how to configure this in azure.
Not really, as it was on SSL binding of multiple custom domains on a single cloud. I was trying to figure out how to have one app on a cloud service where content changes as per custom domain end user has used to navigate to the website. Turns out its easy, all that is required is cname config and listening to host_header on server side aspx page_init –
I currently have a VPS with another provider. On that VPS, I have IIS running with multiple app pools and web sites. I would like to get out of the "server management business", so it would seem that Azure Web Sites (Reserved) would be a great fit. I'm able to get the Azure Web Sites set up, including the custom domain piece. The problem that I can't seem to figure out is how to get the same URLs and behavior that I currently have on my VPS.
For example, I have URLs that look like this right now:
www.foo.com/bar
www.foo.com/baz
wildcard.foo.com/bla
I can't find a way to mimic that in Azure.
Things I've thought of/tried:
Go with one Azure Web Site and have separate virtual directories/app pools in Azure, but googling tells me that isn't supported.
Create 3 Azure Web Sites, one for each of the above. The problem there as I see it is I would need to change to use bar.foo.com, baz.foo.com, and bla.foo.com/wildcard (i.e. lose wildcard subdomain mapping and rework things to have a custom route at the end).
Maybe have one Azure Web Site with a rewrite URL? The problem I think I'd run into there is that it all runs in one app pool, so deploying one piece will affect all 3, and obviously a fault in one app would impact the other 2.
Has anyone else gone down this path and solved it? If the answer is spin up a virtual server, I'll probably just stay where I'm at.
Considering www.foo.com/bar, www.foo.com/baz and wildcard.foo.com/bla are 3 independent web applications that share a domain (foo.com):
Create a Windows Azure Website for each web application. You don't necessarily need to assign custom domain names to them.
Create another, separate website and assign to it the *.foo.com domain using an A record. Refer to Configuring a custom domain name for a Windows Azure web site for instructions. As documented, "With an A record, you map a domain (e.g., contoso.com or www.contoso.com) or a wildcard domain (e.g., *.contoso.com) to the single public IP address of a deployment within a Windows Azure web site. The main benefit of this approach over using CNAMEs is that you can map root domains (e.g., contoso.com) and wildcard domains (e.g., *.contoso.com), in addition to subdomains (e.g., www.contoso.com)."
In this "master" website, set up URL redirection (possibly with status code 307 Temporary Redirect) so that requests go to the appropriate applications.
Alternatively, to avoid the delay of the additional request caused by the redirection, set up the "master" website as a reverse proxy that transparently forwards the request to the "inner" web application and sends the response back to the user.
As yet another alternative, use a custom DNS service to do the routing at the DNS layer.
This way, each web application is independent and you solve the issue of routing requests to the appropriate application.