No Response from Azure Web Application Firewal - azure

I have an App Service hosted in azure and I need to secure that using Azure's Web Application Firewall (WAF). I've created the WAF and also specified the app service's FQDN but when I hit that from the browser I get a timeout response after ~3mins.
I've validated that I can hit the AppService using the http://FQDN. The WAF's BackendHttpSetting is configured for HTTP port 80. The listener is also configured for http 80. Ive tried hitting the WAF endpoint using the IP as well as the {guid}.cloudapp.net
I'm out of ideas now.
Any pointer?
Thanks

Support for Azure Web Application requires additional configuration on backend setting and probe for correctly overriding Host headers from incoming requests. This is documented at link1 and link2 for a working example.

Related

I added FrontDoor to an app service, then deleted FD and now the app service no longer works

The DNS records for Front Door were deleted as well. We have an app gateway to the app service, which is under an app service env. I can see traffic on my app gateway:
But none on the app service:
The error I get when I try to access the web app is generic:
:( Application Error If you are the application administrator, you can
access the
The health probe on the app gateway was changed to 200-600 to show this error, because it was just a generic 502 at first. I'm not really sure where to even begin troubleshooting this. Any ideas on where I can start checking things?
Did you changed the CNAME dns entry to point to your app service instead of the frontdoor address?
I suspect that you have completely removed the CNAME entry instead of changing it to point to your my-app.azurewebsites.net address.
Also check if you have correctly configured the binding to your custom domain for the app service
Did you originally use the DNS record pointing to the AFD endpoint to point to the App Gateway? If so did you point it back to the App Gateway?
What's the backend settings for the App Gateway look like? Are you overriding the hostname, choosing it from the backend pool name, or not overriding (forwarding hostname from client)?
Also, on the App Service, when you implemented AFD in front did you setup access restrictions under the networking blade? Usually when placing AFD in front of App Service there is a rule to only allow the AFD service tag to reach the App Service so it can't be bypassed.
Lastly, check the environment variables for what port your app service is listening on. From searching that error message I see a lot of mentions about it being NodeJS and there being a mismatch in port configuration. Ensure the app service is listening on the same port as is configured on the App Gateway's backend settings as well as the probe.

Azure web app access restrictions to application gateway

I am using a V1 WAF application gateway (dynamic IP) in front of a web app.
When i configure the web app access restrictions to Allow the application gateway i received a when i tryu to access the web app url (expected behavior). However, i also received a 403 when accessing throught the app gateway url (not expected !). i have try a rule to allow the app gateway ip and also a rule allowing the app gateway vnet (service endpoint) with both same result. Any idea why its not working ? Thx!
I suggest you to know about this topic. you are probably getting a VPC error.
https://azure.microsoft.com/en-us/services/virtual-network/#overview

How does an azure app service access a no azure web server

I have an Azure app service and in some cases I need to send a web request to a non-azure webserver. What do I need to do to make it possible.
Currently the web request fails with no clear error message.
In response to a HttpClient Put request I get a System.Net.WebException exception which says there were errors.
THe same request works from a desktop application.
If your webserver is reachable from the internet you should be able to access it through your App Service. Try to log a ping to your webserver and google (8.8.8.8).
If your App Service is in a VNET you should enable some outbound rules to your webservers IP adress.
The server I am connecting to is an other Azure service. After some more investigating, It appears that I can connect to it if I do not use SSL (i.e. http://) but the connection is immediately closed when using SSL (https://). I assume that the problem must be related to the use of SSL.

Azure Application Gateway with App Service Web App

I have created an application gateway with WAF (default detection mode) in an Azure Resource Group (no ASE) with an App Service Web App backendPool member/target MS link (followed instructions to the letter both via the Azure Portal and via PowerShell).
Im not using any custom domains, just the basic config with my backendPool member being an Azure Web App ie mywebapp.azurewebsites.net (Web App is a basic ASP.NET test site which runs fine on its .azurewebsites.net address).
MS application gateway documentation states they now support App Services as backendPool targets (FQDN/which I use).
My basic httpSettings, basic listener and rule are all setup correctly as far as Im aware (HTTP port 80.
So in essence my app gateway should listen on port 80 of the public IP attached to it and forward any incoming requests to the backendPool member (Web App).
But when I try to access the gateways public IP (or DNS address) I keep getting an 'Azure 404 Web Site not found.' page/error.
Strangely if I stop the Web App from the Azure portal I get a 502/bad gateway error until I restart the Web App where the 404 page returns.
I dont know if Im missing anything here? Does anyone have any suggestions at all? I cannot seem to get this working.
You probably are missing a couple of configuration elements. Backend http settings should require 'PickHostNameFromBackendAddress' flag. You should also use a custom probe which has 'PickHostNameFromBackendHttpSettings' flag set. The end to end PowerShell documentation is at link which details your scenario.

Azure load balancing configuration with App Services

What am I trying to do
I have to azure apps deployed as App services. To make rest post easy let's call them "blog" and "landing_page". Both of them are hosted, so they URL are blog.azurewebsites.net and landing_page.azurewebsites.net.
I want to configure "something" in Azure with following rules:
if user access http://mydomain/ - content of landing_page.azurewebsites.net
if user access http://mydomain/blog - content of blog.azurewebsites.net
What I tried
After reading documentation, I have to reject Traffic Manager because it works on DNS level. From the other two I decided to use Application Gateway, because it should work on eny Endpoint (Any Azure internal IP address, public internet IP address, Azure VM, or Azure Cloud Service).
I configured my Application Gateway setting backend to: landing_page.azurewebsites.net. But in "Backend health" the app status is unhealthy. I tried also:
blog.azurewebsites.net - unhealthy
www.wp.pl (polish news portal) - is working
gazeta.pl (polish news portal) - is working
stapp.space (my blog) - this is same as piotrstapp.azurewebsites.net and status is unhealthy
Question :)
What did I wrong? Maybe should I use something else on Azure? Or am I missing something?
Make sure that custom probes is turned on and configured in the HTTP settings of the WAF for your site. If you don't the Application Gateway will try to go to the IP of the App Service Environment without passing a Host header, which won't work and will throw the probe into an unhealthy state resulting in a "502 Gateway Proxy" error.
There is a great article here
You may want to check out Azure's application gateway path-based rules function:
Create a path-based rule for an application gateway by using the Azure portal

Resources