I deployed a Asp.Net Core 2 application to Azure, using Visual Studio Community's Publish feature. The non-database-dependent parts of the application function, but the database-specific code returns an error.
The application's database is a Sql Server instance installed on a Windows server hosted on a Azure VM (not an Azure SQL database).
To fix this, I:
determined the application's IP address using the Url property (xxx.azurewebsites.net) of the app's blade
added an inbound rule to the network security group's blade that allows all ports from this IP address
added an entry to the VM's Windows firewall to allow ports from this IP address
Unfortunately, this did not solve the problem. What am I missing?
Incidentally, what's the recommended way to set the ASPNETCORE_ENVIRONMENT to development when publishing to Azure (to enable more-detailed error messages)?
I am assuming that your web application is deployed to an Azure Web App. You may not have the correct outbound IP address for your VM hosting. Note that a Web App's inbound IP address may be different from the Web App's outbound address. To find the outbound addresses for your Web App, do the following:
Go to your Web App's management blade.
Choose the Properties menu item (under Settings). On this screen, there's a list of possible outbound IP addresses. Try whitelisting them all in your VM's firewall.
Related
vnet is connected to my Web App through which I can communicate with other services and applications. When I specify the internal IP of another application to my application, everything works fine. But now the task has come from the management to remake it to use the internal DNS server and internal DNS names. In Azure vnet, in the DNS servers settings, I specified the IP of my DNS servers. I added 168.63.129.16 - now work. If you connect Windows VM to the network everything works fine. Perhaps something needs to be added to the Dockerfile or Linux Container Web App settings so that integration with vnet and DNS works.
If your web application is integrated with the virtual network, your application would be able to communicate with the applications in the virtual network
After integrating your web application with the virtual network, you need to perform sync network action
Go to Azure portal --> Go to your App Service plan where the web app is hosted --> Under Networking, select Virtual Network Integration --> select Sync Network
Once the sync action is complete, you would be able to communicate with your internal application using the DNS name from your web application
Reference: Name resolution for resources in Azure virtual networks | Microsoft Docs
I have to restrict public access to my Azure app service, Hence I have implemented IP whitelist in web config. Is it required to whitelist the Azure datacenter IP ranges?
My app service uses Azure SQL, redis and search service.
Short answer to your question is no, you will not need to add Azure data center IP addresses for using Azure services. Only case where you need to add IP addresses to the allow list is when a service/application tries to access your web application and not the other way round.
Given your objective to restrict public access, you should definitely consider using the IP restrictions feature from Azure Portal. Microsoft has improved this feature and it's better than having just the web.config <ipsecurity> configuration,
With Azure App Service IP restrictions, traffic will blocked even
before it reaches your IIS.
You can still continue to use your web.config configuration as it is.
Configuration effort is pretty minimal as it's all available through portal
Read more about it here
Azure App Service Static IP Restrictions
For a time, the IP Restrictions capability in the portal was a layer
on top of the ipSecurity capability in IIS. The current IP
Restrictions capability is different. You can still configure
ipSecurity within your application web.config but the front-end based
IP Restrictions rules will be applied before any traffic reaches IIS.
I have a deployed web app in azure but I want to allow only specific ip address ( or mac address if possible) to access the sites on the web app I deployed on azure. I've been searching for internet for step by step instructions but I really cannot find one. I saw several codes to paste to web.config but I do not know how to do it nor find that file.
What I understand is that I need to setup a network security group found under the settings on my web app but I cannot find it there. I can only see networking. Can someone please provide step by step instructions. TIA
According to your description, we should create an app service Environment(virtual network), in this way, we can add NSG to the virtual network, then we can set inbound rules for this virtual network, in this way, we can control inbound traffic to web app.
We can follow this official article to create app service environment and add NSG to web app.
I've been running the free trial and am trying to point of my name cheap domain to the vm web site I have created.
I covered the server Ip.
Here are my namecheap settings for the domain.
The covered Ip is the same as above..
Here are my IIS settings
Change the Hostname to my actual domain.
I've also disabled Windows firewall and added port 80 and 443 in the security app hooked to the Azure VM. I can't seem to connect to the website at all. Am I missing something? I've been troubleshooting for hours and cant find anything except basic tutorials and how to do it on the Classic Azure portal.
thank you.
If you are using V1 (old portal/classic) Azure VM resources, then you need to open up the endpoint on the cloud services. All VMs exist as part of a Cloud Service.
From the new portal,
Select the VM (Classic)
Settings
Endpoints
Add the required port (make sure public port is the one you want to use, say 80, and the internal port is the one IIS is listening for)
If you are using V2 resources, you need to add a public IP to your VM before it can be reached from the outside world.
From the new portal
Click on the VM
Open settings
Select Network Interfaces
Select IP Address
Enable public IP (and add a PIP)
Keep in mind that in Azure, all IPs are dynamic. You will want to configure DNS settings against the DNS names provided, and not the IP address (as this will change if you power off the machine). For V1, use the cloud service name. For V2, you are given the option when creating the PIP to have azure assign a DNS name.
For testing, try to telnet on port 80 to the correct DNS name.
I have configured my Azure Web Apps and App Hosting Plan to connect via Point-to-Site gateway with my Virtual Network in Azure. I followed this article here:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-integrate-with-vnet/
I have a VM that is hosting DNS and my Virtual Network is configured to use this.
I want to be able to reference services running in my Virtual Network from my Web Apps via domain name and not by direct IP address.
It works fine if I connect using the VM's internal IP address eg 192.168.1.4. But, when I add a DNS A record pointing my-service.my-vnet.local to 192.168.1.4, my web app can't resolve the domain.
I attempted to check the DNS settings of the web app and it appears my internal DNS server is not one of the hosts configured. Here's the code I ran in my web app:
from nic in NetworkInterface.GetAllNetworkInterfaces()
let props = nic.GetIPProperties()
select String.Join("; ", props.DnsAddresses.Select(x => x.ToString()))
Is this possible to do? If so, can anyone suggest what I need to do?
From everything we have tried and talking with Azure folks at Ignite, Web Apps (point-to-site) were not designed to be joined to a domain. That said, we are successfully using web apps to access on-premise web services using a binding with a fully qualified domain name (FQDN) and securing that traffic be certificate.
Due to the way web apps connected to a VNET works, you will not be seeing the DNS servers when you list all interfaces. If in command line you run the command:
SET WEBSITE_
You should see an environment variable that holds your configured DNS servers. If not, you should go to your web app in the Azure Portal, to the Vnet section, and hit the "Sync Data" button.