I have deployed a Virtual Machine scaleset with an application gateway. VMs in VMSS has a soap api configured. Now when I download WSDL for my soap api by going through application gateway's DNS name, for soap:addresslocation tag in WSDL it gives privateip of VM as url for example
https:\\10.1.0.9:443\servicetag
while if I access same API WSDL directly by using DNS name of VM it gives same URL in this for :
https\\<VM DNS name>\servicetag.
Please tell me what is causing this behaviour.
I resolved this issue after some research into my setup. SO the problem was due to this flag
--host-name-from-backend-pool
which was setup as true due to which it was picking the hostname of my VM instead of my application gateway frontend IP. setting
--host-name-from-backend-pool false
as false resolved it
Related
We have following setup in Azure configured using this guide (https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis)
App Gateway with Public IP calling ===> Azure APIM Service configured in Internal mode (development tier)
Details:
Both App Gateway and APIM are in same VNet but in separate subnets.
App Gateway has only public IP with Firewall disabled (for testing purpose).
APIM is configured in Internal mode.
Three listeners, one for API, one for developer portal and one for API management endpoint) are configured in App Gateway using custom domains and SSL certificates.
There is VM deployed and configure in same VNet.
APP Gateway Domains are: (Internet Accessible)
dev.apiportal.xxxx.com ==> API Portal
dev.api.xxxx.com ==> API
Gateway
dev.apimanagement.xxxx.com ==> API Management
APIM Service is using default domains: (Not accessible on internet. APIM is configured in Internal mode)
dev-apim.developer.azure-api.net ==> API Portal
dev-apim.azure-api.net ==> API Gateway
dev-apim.management.azure-api.net ==> API Management
There probes defined on App GW for these endpoint mentioned above are healthy and in green status
Problem Statement:
API portal is accessible from VM mentioned in #5 above using default links. I am able to login using user added in portal. VM's host file has been modified with IP address and default host name of APIM service. Portal works fine when accessed from VM.
When I try to access portal from internet using custom domain (configured on listeners mentioned in #4 above of App GW) portal loads fine.
When I try to login using same user (mentioned in #1) doesn't work and error I get is "Please provide a valid email and password". This error appears after almost 15-20 seconds after clicking sign in button.
When I tried to check error in browser developer tools found that even though portal is accessed using internet facing URL one request for management Api is pointed to internal URL of Api management. .
Wanted to understand if we need to have custom domains for APIM service as well in order to get this setup working? Any pointer to fix this error?
• Thank you #Pankaj Kapare for your question and the subsequent resolution that you have provided in the comments section. I am posting the same comment of yours elaborately and some additional probable resolution as an answer.
Setting the APIM service’s URls with the custom domain that is mentioned in the application gateway while still the APIM service operational in internal mode helped login to the APIM developer portal successfully, i.e., setting the same custom domain that are defined in application gateway in the APIM’s endpoints.
• You can also resolve this DNS mapping issue by creating a CNAME record for the custom domain configured in application gateway and mentioning an alias to the default domain URL in the APIM service. Thus, by creating a CNAME DNS record for the default domain in the APIM service, you can redirect the requests for the application gateway’s custom domain URL to the default domain URL in the APIM service.
But for this also, you would need to create a private DNS zone in Azure and create the above said in it which will restrict the internet access to the APIM URLs and redirect the requests internally.
I am following up this doc series to set up an internal API management instance integrated with APP Gateway in azure. I followed everything to the detail:
Created a new resource group
Setup a Vnet with 3 subnets
And setup a private dns zone and link the vnet
And then created self-signed certificates to be used with the dns created in private dns zone
Created API management instance and added custom domains
Created a App Gateway with public IP and setup routing rules and backends and setup health probes with path /status-0123456789abcdef for APIM
But now I am getting this backend health error as below:
Can someone tell me what I am doing wrong?
Are there any security groups to be configured? I am using an internl mode for the APIM, and when I even try to test the default API (which is echo test) it gives the below error:
Why this is not working? If you need any more information, I will let you know (update the question). Can someone please help me?
I have a similar situation which was driving me insane. I must have changed everything I possibly could. The answer, was to create a custom health probe and at the very bottom of the HTTP settings it was an option to use the custom probe.
Since the Gateway URL is not registered on the public DNS, the test console available on the Azure portal will not work for Internal VNET deployed service. Instead, use the test console provided on the Developer portal.
You can find more details here.
I created an application gateway in Azure. I have set an ACI instance as backend target. The ACI is a linux container instance. It contains my WebApis. When I try to invoke the WebAPI from Postman using the public IP address of the application gateway, I get '502 bad gateway error'. I could not find much resource online that was using an ACI as backend target in an Application Gateway.
I referred to this site - https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal to configure application gateway. Here they have VM as backend target. Instead I used private IP address of my container instance as backend target.
In 'Backend Pool' of my application gateway, I selected 'IP address or FQDN' as target type and provided the private IP address of my container instance.
Would appreciate any input/help on this.
Thanks.
Have you solved your problem?
Locally the docker cpntainer works as expected (correct ports configured)
Http traffic or https ?
The ip address of the aci is the one you have in the backend pool?
Need more info to be able to help.
I'm trying to serve multiple Azure App Services behind an Application Gateway. These services should only be reachable through the application gateway endpoint. To achieve this, I've done the following:
Added a VNet
Added a subnet, and added all app services to it
Added an application gateway with appropriate rules for pointing to the app service
Added access restrictions to the app service to only allow the subnet of the application gateway, and the public IP of the application gateway
The health probe of the application gateway indicates the service is healthy (and thus reachable), but when I try to make a request to the service trough the gateway using Postman, I get a 403 IP forbidden error. However, when I add my local IP as an allowed IP address to the app service, the request comes through just fine
From what I've read online, adding the public IP of the gateway should be sufficient for allowing access through the gateway, but it seems that requests from my local machine are blocked. Am I getting something fundamentally wrong here?
Edit: I also tried assigning a front-end private IP address to the gateway and adding access for that in the app service, but that also did not work
Edit 2: My configuration
Access restrictions for app service:
access restrictions
Backend pool:
Backend pool
HTTP settings:
HTTP settings
Listener:
Listener
Rule:
Rule
From your description "Added a subnet, and added all app services to it", I assume that you are meaning integrating app with Azure VNet or enable the service endpoint with Microsoft.Web for the subnet. If so, you could remove them. Both are useless in this scenario.
To restrict the access through the gateway, you only need to add the frontend IP address to the Azure App Service access restrictions. For more details, you could refer to this blog https://www.cloudmanav.com/azure/restricting-appservice-accessible-via-appgateway/#
If you have NSG associated with the subnets, you could follow the prerequisites here
https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview#network-security-groups-on-the-application-gateway-subnet
Edit
You may have redirection configured on your app service or have Azure Active Directory authentication, which causes the redirection. So when redirection happens, the client makes the request directly to app service URL Path contoso.azurewebsites.net/xxx instead of going through the application gateway URL path contoso.com/xxx.
To fix it, you could use a custom domain name to pass the same host name that the application gateway receives to the app service as well, instead of doing a host override. Get more details about this solution here.
I have WAF, Application Gateway and a VM in place in Azure cloud. I have deployed an application in VM, which is running on tomcate and on port 8280.
I have domain name www.abc.com. In DNS entry, www.abc.com is pointing to my Azure App Gateway on port 80.
I am able to access the my application using IP and port. for example:-
http://X.X.X.X:8280/MyApps/page1 and http://X.X.X.X:8280/MyApps/page2.
I am trying to configure App Gateway, so that when I try to open using domain name. My requirement is when I hit www.abc.com, it should redirect to URL www.abc.com/page1. I tried to setup the listener with basic type and also path based. But no success. When I try to hit www.abc.com, it throws error:
502 - Web server received an invalid response while acting as a gateway or proxy server.
The 502 error always shows that there is a firewall restiction from your application gateway instance to your backend VM. You can verify if there are blocking the traffics in the NSG associated with your application gateway subnet or VM subnet. Also, this might be caused by inproperly configuring the custom health probe. You also can get more reasons from this doc.
Moreover, you can confirm you have set the url-based path correctly. Pay attention to the path and port.