I have an on premise desktop application and I need it to hit Web APIs I have living in an App Service Web App (on an App Service Plan) in Azure.
My on premise resources are connected over a site to site VPN and I was wondering if there is a way I can call these Web API services(in an app service) directly over the VPN instead of going to the public endpoint.
The "normal" App Service Plan exists in a multi-tenant environment so this is not possible. You would need to use an ASE (App Service Environemnt) to use advanced networking features like VPN and NSG.
Related
I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.
I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.
My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like
INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB
but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.
Thanks
As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.
VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.
In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.
Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.
If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.
If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.
We have it all documented here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal
How can I make the Azure Web App or web service to only through Application Gateway and disable direct access. So nobody will be able to access through the direct Fully Qualified Domain name such as mysite.azurewebsite.net?
Thanks for your help in advance.
You could set up Azure web app in the ILB Azure service environment. Azure ASE is a deployment of Azure App Service into a subnet in an Azure virtual network (VNet). This ILB ASE (Internal ASE) isn't exposed to the Internet. You can follow this blog to run an App Service behind a WAF-enabled Application Gateway.
This Web App isn't publicly accessible as it is sitting in a subnet
inside a Virtual Network and it isn't exposed to the internet. The
only way to access the site is through a Web Application Firewall
enabled Application Gateway.
Besides, If you just want to restrict public access to your Azure Web Apps with the IPSecurityRestrictions option, you can refer to this to get more references.
I am using Microsoft Azure. Specifcially I have API Management Set up as a public gateway. Internally we have a VNet (Its actualy hosting in Azure Environment Service, so its basicallyan isolated App Service inside). I want to connect to the App Service inside the VNet from my API Management service (i.e. route calls from Api Management to backend services in my App Services in the VNet).
I know i can use the network connection to connect as an external API Management to my VNet , but this requires the Premium service level of API Management which is super expensive. Is there a way to route traffic from API management standard Version (which does have a Static IP) through to a service inside a VNet/Subnet though some configuration (other than network connection from the API Management blade).
Thanks in advance.
If you want to use API Management in the VNET then you are limited to Premium or Developer. However, the App Service Environment can have an external interface and API Management can talk to that.
You would need to add some additional security to your external interface to ensure only API Management has access. This could just be an IP filter rule.
I am doing mobile development on Xcode and using hosted database from Microsoft Azure.
I noticed there is firewall settings on Microsoft Azure in order to add clients.
How will this work when the mobile app is deployed? Should all ports be opened on the database? Or do I need to use Web Services?
How will this work when the mobile app is deployed? Should all ports
be opened on the database? Or do I need to use Web Services?
You should definitely NOT open all ports and direct connectivity to the database from mobile apps is strongly discouraged.
Recommended way would be to use some kind of service layer sitting between your mobile app and the database. All the requests from the app should go to this service layer which will perform database operations. This service layer could be deployed as Azure Mobile App Service, Azure API App Service or a Web API hosted in Azure Web Apps Service.
I'm looking at ways to host our web site in Azure. The Web application consumes on-premise web services and send/receive messages from ActiveMQ hosted on-premise. Is this possible? Any pointers will be helpful.
Short Answer: Yes, it's possible. Mixing Azure and On-Prem resources is what's called the Hybrid Cloud.
Long Answer:
You can use Azure App Service Environment to setup a Virtual Network with an Azure Web App that will allow for a VPN connection to be setup between your on-premises network and the Azure VNet. If VPN setup isn't an option of you, then you could use the Azure Service Bus Relay service to connect an on-premises WCF Web Service to the Azure Web App. Additionally, a Biztalk Hybrid Connection could be used to tunnel through the firewall between your on-premises resources and the Azure Web App. Hybrid Cloud is fully supported in Microsoft Azure and there are a few options to choose depending on which fits your needs / scenario best.
You can create a VPN on Azure, add the web site to it and then create a site to point VPN connection to add the VM that has the on-premise web service to it.
Another solution, if your web service is developed in WCF, you can use Service Bus Relay with your web service, this will make it accessible from your Azure web site.