Azure Storage Account firewall AnonymousIpAuthorizationError - azure

I've enabled the Storage Account firewall (preview) feature and I have an Azure Web App that can upload and download files from the Storage Account.
Now the Web App reports it cannot access the Storage Account.
When I enabled diagnostics logging, it displays:
1.0;2017-12-15T07:17:02.1274894Z;GetBlobProperties;AnonymousIpAuthorizationError;403;0;0;anonymous;;mystorageaccount;blob;"https://mystorageaccount.blob.core.windows.net:443/container/file5p.pdf";"/";45752938-001e-0099-7f74-754fae000000;0;10.86.184.194:50506;2014-02-14;119;0;75;0;0;;;;;;;;
Other records (not traffic from the Web App) do have IP addresses displayed instead of AnonymousIpAuthorizationError.
Now I cannot enable the firewall since the Web App has an anonymous IP address.
Are there any options to enable the firewall and only enable traffic from the Web App?

You could attach the webapp to a virtual network and allow that vNET's/subnet IP range. https://blogs.technet.microsoft.com/canitpro/2015/04/06/step-by-step-connect-an-azure-web-app-to-an-existing-virtual-network/

Related

Azure VM hosted APIs should be accessible to azure APIM only

I have my APIs hosted on a azure windows virtual machine. I want that these APIs should be privately consumed by API management. If I make VM and APIM in same VNET and configure APIM as internal then my APIs exposed by APIM will not be accessed by public web app and If I make my APIM external then my developer portal will be publically accessible, which I dont want.
Is there any policy or outbound/inbound rule that can be configured so that APIs from VM, and APIM developer portal is not publically accessible?
From the document, if you select internal option in the virtual network of API Management services,
the API Management gateway and developer portal are accessible only
from within the virtual network via an internal load balancer. The
gateway can access resources within the virtual network.
In this case, you can deploy your APIM into a vNet following the common network configurations---dns and NSG rules. The API hosted VM should be able to resolve the develop portal with a private IP address.

IP filtering for static web hosted endpoint through Azure blob storage

I want to host a website with only html,css,js files in the Azure cloud.
Seems like Azure Blob Static Website is a great option to host it for free if you have an Azure subscription.
Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website
My question here is:
Is there any way to restrict the public IP addresses which can access the endpoint of the Azure Blob hosted Website?
Many of the Azure services provide this feature of IP filtering, but I did not find any way to do it for the above scenario.
Please guide me.
In the storage account, go to Settings → Firewalls and Virtual Networks
Check the radio Selected Networks and then configure the Firewall to allow selected IP address ranges.

Azure WebJob vNet integration

I can't get vNet integration between an Azure App Service / WebJob and it's connected Storage Account to work correctly. I have added both the App Service and the storage account to the same vNet and enabled service endpoint binding for Microsoft.Storage. From what I can see in the docs, this is what is needed to get the communication to work between the services. Unfortunately, I get this error in the WebJob log when I try to run it:
"Unhandled Exception: Microsoft.WindowsAzure.Storage.StorageException:
The remote server returned an error: (403) Forbidden. --->
System.Net.WebException: The remote server returned an error: (403)
Forbidden."
If I disable the firewall on the storage account everything works just fine.
All the services are placed in the same resource group and region (West Europe).
I have tried both the "normal" (with gateway) and the new (Preview) vNet integration version on the App Service and both are failing the same way.
I am not using ASE (App Service Environment).
I have also added the following exceptions on the storage firewall:
Storage firewall exceptions
First, when you allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.
In this case, you may think Microsoft.Networking service will be allowed in firewall rule. But basically, VNet Integration does not mean App Service is inside a VNet. VNet Integration gives your web app access to resources in your virtual network but doesn't grant private access to your web app from the virtual network. We usually used to securely access the resource in a VNet.
If you want to put your App Service in a VNet, you need to deploy it in App Service Environment, then it's already in a VNet.
Alternatively, you could whitelist the outbound web app service IP address in the firewall rule of the storage account.
Hope this helps, feel free to let me know if you have any concerns.
I've struggled myself on this topic.
First off, if you're restricting access to storage using the firewall you need to add your VNET to the storage firewall. Use your delegate subnet when adding your VNET.
When you add the private link between your storage and your VNET, Azure creates a private DNS zone but your app doesn't automatically use it, even when integrated to the VNET.
You can find more here https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
But specifically this passage applies:
After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS private zones. To work with Azure DNS private zones, you need to add the following app settings:
WEBSITE_DNS_SERVER with value 168.63.129.16
WEBSITE_VNET_ROUTE_ALL with value 1
These settings send all of your outbound calls from your app into your VNet and enable your app to access an Azure DNS private zone. With these settings, your app can use Azure DNS by querying the DNS private zone at the worker level.
You can test the DNS resolution your app is using by opening the debug console and using the NameResolver command
NameResolver mystorageaccount.blob.core.windows.net or
NameResolver mystorageaccount.queue.core.windows.net
should return your private address. If not you have a DNS issue.

Access Azure website by IP cause 404 error

I have an azure website that I can access by
myname.azurewebsites.net
In Azure dashboard, the IP is 104.214.237.135
When I try to access my website by IP I have a 404 error
I don't understand. My plan App Service is S1
Regards
Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.
App Service Environments use dedicated network infrastructures, so apps running in an App Service environment get static, dedicated IP addresses both for inbound and outbound connections.
Azure AppService IP addresses are shared between tenants and not guaranteed to be static. Your app is bound to the hostname, not the IP address. Unless you are using App Service Environment, you cannot use a static / dedicated IP address with Azure AppServices. You can add additional custom hostnames to your app.

Azure Storage firewall open to Azure App Service

I have an Azure Storage account and need to enable the storage firewall.
I have added the outbound IP addresses of my App Service, but the firewall still prevents access. (I know that these addresses can change, but they change predictably, so I can live with that.)
Is there a solution to grant an App Service access to the Storage account other than disabling the firewall (and other than using an ASE, which isn't an option)?
So it turns out that in a new Azure Storage account with a new App Service, setting the storage firewall to the outbound IPs of the App Service does work as expected. Unless the client browser is actually doing the download, adding the client's IP is not required.
Edit
This only works reliably when the storage account is in a different data centre to the App Service. When they are both in the same data centre, an internal outbound address (e.g. 10.x.x.x) is presented from the App Service to the Storage account. Internal addresses cannot be added to the Storage firewall.
If you access your web app service from on-premises networks, you need to grant access from your on-premise networks to your storage account with a public Internet-facing IP address used by your network. You can get more details from Grant access from an internet IP range
If you have VNet Integration with your apps. You should first enable service endpoints for storage in the VNet. You can refer to Grant access from a virtual network.

Resources