App Service IP Restriction for Application Gateway with WAF
I want to setup Application Gateway WAF in front of multi-tenant (non-ASE) App Service Web Apps.
I know this is possible now, according to official document.
For security, inbound traffic to Web Apps should be restricted to only allow requests for connection the application gateway Public IP. But I couldn't find the way to do it.
Idea 1. Using VNet integration:
It's not possible to using "App Service Vnet Integration" cause it's not possible to specify App gateway's VNet.
Moreover, in my understanding, VNet integration can't restrict inbound traffic.
Idea 2. Using IP Restriction config of App Service:
Application Gateway's Public IP Address can be configured as Dynamic one, Static IP Address can't be chosen.
So, I think it's not possible to specify Application Gateway's Public IP Address to IP Restriction config of App Service, cause configured IP is static but actual IP can be changed.
Any good idea?
The Application gateway IP address can change if the gateway is stopped and started by the customer.
So if you have not stop and start the application gateway, the IP address will not change.
Related
I have a setup like this
There is a website hosted in a VM in IIS.
There is an Azure Application gateway in-front which redirects the traffic to the website hosted in VM.
There are the NSGs, VNet and subnets for the Application gateway.
The requirement is to restrict the access to the site from internet while allowing intranet access only?
Which version of Application gateway you are using, if V1, attach the application gateway to private VNET-->Subnet and only attach private ip to gateway. If it is V2 just remove the public IP listener.
Application gateway is a reverse proxy. If you add VM's private IP as backend pool of your Application gateway, then application gateway will use its instance IP to forward the http request to your VM.
So you can add a NSG to your VM's subnet to only allow Application gateway subnet IP range and deny internet traffic on port 80,443.
It is applicable for both V1 and V2 SKU.
I'm trying to deploy my application on Azure. Currently, I have an application gateway deployed in one subnet s1, and in the backend pool I have Linux VMs. As per the requirement, I cannot use any public ip so, I'm using only private ip on Application Gateway. Since we need the internet connection at the time of deploying application, I tried attaching NSG to the Application Gateway's subnet with inbound "Internet" allowed. When I attached the NSG to application gateway subnet, the backend health showed as unhealthy with error:
"Cannot connect to server. Check whether any NSG/UDR/Firewall is blocking access to server. Check if application is running on correct port."
I tried to add rules specified in MSFT's document https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview#allow-application-gateway-access-to-a-few-source-ips but its not helpful. So my questions are:
Is there anything more I need to add to NSG on application gateway's subnet.
Is it a good strategy to allow internet access using the inbound rule on NSG? (Inbound rule -> service tag -> Internet). Is there any other way I can have internet access just at the time of deployment? PS: I'm not allowed to use public IP at all.
Many thanks!
You can deploy Application Gateway with Public IP and Private IP. All you need to do is to create the listener with the private Frontend IP and leave the Public IP as such.
Since Public IP is not attached with any of the listener, no one will be able to access your site from Internet via Public IP of your Application Gateway.
When AppGW needs to initiate outbound to Internet, it uses that Public IP.
Note: You cannot have only Private IP as Frontend in V2 deployment and you can deploy Application Gateway with only Private Frontend IP in V1 SKU.
My health probe fails with a 403 as soon as I apply whitelisting to the App Service configured in the backend pool (I whitelist the IP that's assigned to the application gateway. IP is a standard tier and static.
Has anyone else been seeing this issue before? I was under the impression that I could whitelist the public IP assigned to the application gateway on the App Service so access is only possible from the Application Gateway endpoint.
The health probe is successful when I remove the whitelisting. So I'm sure it has something to do with that.
According to the document,
If the backend pool:
Is a public endpoint, the application gateway uses its frontend public
IP to reach the server. If there isn't a frontend public IP address,
one is assigned for the outbound external connectivity.
Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using
its instance private IP addresses.
Contains an external endpoint or an externally resolvable FQDN, the
application gateway routes the request to the backend server by using
its frontend public IP address. The DNS resolution is based on a
private DNS zone or custom DNS server, if configured, or it uses the
default Azure-provided DNS. If there isn't a frontend public IP
address, one is assigned for the outbound external connectivity.
Thus, you may use an internally resolvable FQDN or a private IP address of the backend app service in the backend pool.
In this case, you could change to use the default Azure app service hostname like webappname.azurewebsites.net or whitelist the internal app gateway subnet (where the application gateway instance private IP address) in the access restrictions of app service.
We have an Azure Web App and Azure VPN, we've locked down the web app so it's accessible internally only by granting/restricting access via IP addresses (via Access Restrictions page). However users over our VPN are not able to access the web app - when they connect over VPN, the user's external IP address is not from our internal network. We do not want to whitelist everyone's IP address.
If we had the internal IP address of the web app, we have a few options we could try, but we assume this is not available to us.
How would we allow access to a web app for users over a VPN?
Is this something API Management would solve?
If you don't want to whitelist everyone's IP address. You could involve front-ending the Web App with an Azure Application Gateway and restricting access to the Web App such that only connections from the Gateway are allowed.
Azure Application Gateway is a web traffic load balancer. It has a public or a private frontend or both backends, it must deploy in a dedicated subnet. The subnet also supports to restrict the network inbound and outbound traffic with NSG. In this case, you can deploy a private app GW, then the users over VPN will send the HTTP/HTTPS requests to the APP GW frontend, the APP GW receives the requests via Listener and routes the traffic to the appropriate backends based on the routing rules. An application gateway can communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed. See supported backend pools and how an application gateway works.
You could get more references from the third way in this blog.
I am trying to configure Azure application gateway WAF with a backendpool set to a VM in a different Azure tenant using its public IP address on port 443. All the SSL certificates are configured properly. However, I keep getting following error while browsing the site via WAF.
502 - Web server received an invalid response while acting as a gateway or proxy server.
I have confirmed that the NSG is on the mentioned back-end VM is allowing all traffic on port 443. What could be going wrong here?
Generally, you can check the status of Backend health in the monitoring of Application Gateway and compare with the DETAILS referring to these possible reasons on your side.
NSG, UDR or Custom DNS is blocking access to backend pool members.
Back-end VMs or instances of virtual machine scale set are not responding to the default health probe.
Invalid or improper configuration of custom health probes.
Azure Application Gateway's back-end pool is not configured or empty.
None of the VMs or instances in virtual machine scale set are healthy.
Request time-out or connectivity issues with user requests.
For each reason, you can get a solution from that link. I think you could make sure you can directly access the backend with public IP from one tenant to another tenant. Then if you have an NSG in the app gateway subnet, you must include exceptions for incoming traffic on ports 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for the v2 SKU. You could get more details here. You could also whitelist the app gateway public IP address in the NSG of backend VM.