I have configured an Azure Web Application Firewall in-front of my App Service and it is successfully passing requests through. I have followed the instructions a the following microsoft docs.
I have the following configuration:
Custom domain: test.[customdomain].com the DNS records points to the public IP configured against the WAF. The custom domain is also configured on the Web App.
The WAF has a backendpool which is configured to use "IP Address or FQDN" with the following record:
[customwebsite].azurewebsites.net
When I navigate to test.[customdomain].com I am successfully receiving the website, however it appears as though the WAF is rewriting the request when forwarding to the App Service.
As such, my App Service receives the request and it has the URL [customwebsite].azurewebsites.net, instead of test.[customdomain].com.
Is this intended? Reviewing the multi-tenant documentation it should not be rewriting the host by default?
The solution was to ensure you do not use the option -PickHostNameFromBackendAddress when specifying the New-AzureRmApplicationGatewayBackendHttpSettings. I should have noticed, but this setting tells the WAF to rewrite using the addresses specified in the BackendHttpSettings.
You also then need to reconfigure your probe to specify manual hostnames. e.g. do not specify -PickHostNameFromBackendHttpSettings when setting AzureRmApplicationGatewayProbeConfig.
For me what has worked is in the HTTP Settings to make sure -PickHostNameFromBackendAddress is NOT selected. Also the interface doesn't let you set the -HostName so drop to PowerShell and set the -HostName and the probe like this:
$GW = Get-AzureRmApplicationGateway -ResourceGroupName "MY-APP-WAF-RG" -Name "APP-WAF"
$PROBE = Get-AzureRmApplicationGatewayProbeConfig -ApplicationGateway $GW -Name "my-api-https-probe"
Set-AzureRmApplicationGatewayBackendHttpSettings -ApplicationGateway $GW -Probe $PROBE -HostName "my-api.example.org" -CookieBasedAffinity "enabled" -AffinityCookieName "AGAffinity" -Protocol "HTTPS" -Port 443 -Name "my-api-https-settings"
Set-AzureRmApplicationGateway -ApplicationGateway $GW
Also on the probe I have the -PickHostNameFromBackendHttpSettings selected.
Using the above way I have two web apps with custom domain and SSL configured behind the WAF.
Terrible experience setting this up.
Related
I have DNS records for a web-app service, also hosted with Azure.
The site works if I do not prepend www on the url and sends back the following page if I do prepend it:
Here is my A record (I saw something about creating this):
I have looked everywhere I cannot find any good answers.
In other DNS management services I would just do this:
but I cannot do that here.
You should set CNAME to your Azure websites URL
New-AzDnsRecordSet -ZoneName contoso.com -ResourceGroupName "MyAzureResourceGroup" `
-Name "www" -RecordType "CNAME" -Ttl 600 `
-DnsRecords (New-AzDnsRecordConfig -cname "contoso.azurewebsites.net")
This looks like it is useful. It provides the full process:
https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
I have 2 web apps behind Application Gateway. I am trying to access by http://<aap_gateway_pub_ip>/web1 should go to http://webapp1.azurewebsites.net and http://<aap_gateway_pub_ip>/web2 should go to http://webapp2.azurewebsites.net. I have defined path based rule like:
$web1PathRule = New-AzureRmApplicationGatewayPathRuleConfig -Name web1pathrule -Paths "/web1" -BackendAddressPool $regbackendpool -BackendHttpSettings $poolSetting
$web2PathRule = New-AzureRmApplicationGatewayPathRuleConfig -Name web2pathrule -Paths "/web2" -BackendAddressPool $accbackendpool -BackendHttpSettings $poolSetting
$urlpathmap = New-AzureRmApplicationGatewayUrlPathMapConfig -Name urlpathmap -PathRules $web1PathRule, $web2PathRule -DefaultBackendAddressPool $defaultPool -DefaultBackendHttpSettings $poolSetting
$urlRoutingRule = New-AzureRmApplicationGatewayRequestRoutingRule -Name routingrule-001 -RuleType PathBasedRouting -HttpListener $defaultlistener -UrlPathMap $urlpathmap
The issue is when I directly access http://<aap_gateway_pub_ip> request goes to default pool which is web1 backendpool and opens web1 app. But when I access http://<aap_gateway_pub_ip>/web1, it returns 404 error.
What additional configuration is required to make this working?
I also got stuck in this problem for a day and trust me Microsoft should think about and adding more clear instructions.
The thing is when you access the base address of frontend IP like this http://<aap_gateway_pub_ip>
It simply replace the frontend IP with the backend pool based web app IP, so the request sent to the web app is something like http://webapp1.azurewebsites.net and it works.
Problem starts when you create a path based rule and configure it like this http://<aap_gateway_pub_ip>/web1 -> http://webapp1.azurewebsites.net
What app gateway does, it simply replace the front end ip with the backend ip
So the request sent to backend is
http://webapp1.azurewebsites.net/web1
and if your backend webapp does not contain that page in the website then it will through 404 error.
So there are 2 solutions for that
1> Edit the httpsetting of the rule and add a '/' in the "override backend path"
2> The other approach is to actually drive the path based rule in such a way that the final path (like web1 in your case) should actually exists in the backend server or webapp.
Please follow additional backend http settings and probe configuration for integration with Web Apps to work correctly. The documentation is here.
I have set up a new application Gateway following the MS document. I have configured the back end pool .it is connected to an App Service via FQDN. Somehow I receive 502 immediately every time I browse to the application gateway. Browsing to the website directly works with no issues .
I have resolved this issue. Here is the solution.
If you have web apps in your backend pools you CAN'T set up the health probes via Azure portal.
You need to set them up via resource templates or Powershell. The key is that you need to leave the host field empty and set -PickHostNameFromBackendAddress property.
The two lines below did the magic to make the 502s go away
# Create a probe with the PickHostNameFromBackendHttpSettings switch for web apps
$probeconfig = New-AzureRmApplicationGatewayProbeConfig -name webappprobe -Protocol Http -Path / -Interval 30 -Timeout 120 -UnhealthyThreshold 3 -PickHostNameFromBackendHttpSettings
# Define the backend http settings
$poolSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name appGatewayBackendHttpSettings -Port 80 -Protocol Http -CookieBasedAffinity Disabled -RequestTimeout 120 -PickHostNameFromBackendAddress -Probe $probeconfig
I have a VM running SQL Server. I have port 1433 open on the Windows firewall and an Endpoint on the corresponding cloud service forwarding port 57501 to 1433. I haven't specified any ACLs on that endpoint. I want the endpoint to only be accessible from a specific subnet in the VNet where the VM exists.
If I set that in the ACL, it doesn't work - the ACL only seems to care about the public IP of the client. Since the public IP may change, this isn't an option.
What's the recommended approach here? Note that I don't want to connect directly to the VM hostname because I want to use the CNAME that the cloud service sets up for me (the actual Windows computer name is a random long string).
NSGs apply rules on the incoming/outgoing traffic at a VM or cloud-service-role-instance level.
Note that NSGs default rules allow traffic within the virtual network, and outbound to Internet. All other traffic is denied by default. You need to explicitly specify rules to change this behavior or allow any other traffic in/out.
You can create an NSG rule like below to allow only traffic from a specific subnet within a VNet.
Get-AzureNetworkSecurityGroup -Name "NSG-FrontEnd" `
| Set-AzureNetworkSecurityRule -Name rdp-rule `
-Action Allow -Protocol TCP -Type Inbound -Priority 100 `
-SourceAddressPrefix 192.168.1.0/24 -SourcePortRange '*' `
-DestinationAddressPrefix '*' -DestinationPortRange '1433'
I've got a load-balanced end-point being served by 2 vms, and I shut down one of them through the web interface, however it seems that the shut-down endpoint is still being included in the load-balancer rotation. Is this the case or am I missing a silly mistake on my part?
Are you talking about new "Windows Azure Virtual Machines" or "Web/Worker based VM"?
With Windows Azure Virtual Machine, you can create multiple separate Virtual Machines and use Powershell cmdlets "get-azurevm" with parameter "-LBSetName" to set probe Load balancing undersame -LBSetName setting as below:
get-azurevm -ServiceName "XXXX" -Name "XXX" | Set-AzureEndpoint -Name "HttpIn" -Protocol "tcp" -PublicPort 80 -LocalPort 80 -LBSetName "XXX" -ProbePort 80 -ProbeProtocol "http" -ProbePath "/" | Update-AzureVM
If you configured the Load Balancer and shutdown the instance, the Load Balancer will still shows all machines configured with probe.