I am trying to setup IP restrictions in Azure for both an App Service and a Web App. From the documentation here https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions I got the impression that setting the IP restriction on an App Service level should be sufficient and cover all possible Web Apps that the App Service might contain.
However, I find myself having to setup IP restrictions on both levels e.g. App Service and Web App.
Does anyone know if it's possible to setup IP restrictions on an App Service level and have it "apply" for all Web Apps?
Related
I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.
I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.
My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like
INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB
but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.
Thanks
As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.
VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.
In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.
Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.
If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.
If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.
We have it all documented here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal
I have an environment setup with multiple azure web apps across multiple Azure service plans.
I'm now retrospectively trying to add an azure WAF between the wider internet and the websites.
I have created a WAF, but am now struggling to understand whether it is currently possible to continue to use the *.azurewebsites.net app addresses and route traffic through the WAF?
Is it possible to use the built in *.azurewebsites.net app service addresses as the external entry point to the Azure WAF?
I think I understand your question, what you need to do is route the traffic to the application gateway add azure web app as the backend to the application gateway.
https://learn.microsoft.com/en-us/azure/application-gateway/create-web-app
you cannot azure *.azurewebsites.net as an endpoint for application gateway
In a typical 3-Tier web app, you run web servers in public subnet, while app tier lives in private subnet. Is it possible to run similar architecture with Azure Web apps and Api apps?
I guess you can run Asp.NET Core Web App in Azure Web App and Deploy AspNet Core Web Api to Azure Api App, then make Api end point private so only Web app can talk to it? I see options like Google, Facebook et. as auth providers. Is that what you have to do to make API private?
D.
If you want that level of isolation, one (although expensive) option is an App Service Environment (ASE). Link to docs: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
App Service Environments are ideal for application workloads requiring:
Very high scale
Isolation and secure network access
The public environment where you deploy by default is public. Your endpoints will be accessible to anyone anywhere, and it is up to your app to do the filtering. This can be done, e.g. through static IP address security settings in Web.config. The problem with that is that even then you can't know for sure what IP address your front-end will use for communication. There are multiple possible addresses it may use for outbound traffic, and those are subject to possible change.
You can see an example of IP restrictions here: restricting IP security
Of course you should also have authentication set up on your API. Documentation links:
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://learn.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication
In line with what #juunas said above and a slight variant is to introduce Azure API Management Gateway in between Azure web app and Azure Api app. In standard tier API Gateway the IP address is fixed and doesn't change and you can use the API Gateway address in Azure API App web.config to whitelist.
I have a .NET Web Api project with several REST endpoints that I only want accessed by resources from within an Azure virtual network I have created. Resources such as Azure Functions and Azure Web Roles will access these endpoints only. In other words, I do not want the endpoints publicly available.
So, I configured the Web Api application with my virtual network but apparently I also need to add the Web Api application to an Application Service Environment (which are quite costly from what I have read). To quote the Azure documentation:
VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network.
Do I indeed need to use an Application Service Environment and just deal with the costs or is there another way I can achieve what I want?
I do not want the endpoints publicly available.
Until now, Azure web app only supports for using an internal load balancer with the app service environment feature. If you want to make your Web API can only be accessed internally. An app service environment is required.
If you don't want to move your Web API to app service environment and your Azure function and web role have fixed ip addresses, you could configure the IP whitelist using ipSecurity configuration in your web API. For more information of ipSecurity, link below is for your reference.
IP and Domain Restrictions for Windows Azure Web Sites
Recently, I deployed a web application using Azure App Service. It's in the free tier service plan. I would like to access the logs of this web application and the IP address of the users who accessed my web application. How to find this information?
You'll need to enable Application Insights and use Web server telemetry
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-data-retention-privacy
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-asp-net