I am using Microsoft Azure. Specifcially I have API Management Set up as a public gateway. Internally we have a VNet (Its actualy hosting in Azure Environment Service, so its basicallyan isolated App Service inside). I want to connect to the App Service inside the VNet from my API Management service (i.e. route calls from Api Management to backend services in my App Services in the VNet).
I know i can use the network connection to connect as an external API Management to my VNet , but this requires the Premium service level of API Management which is super expensive. Is there a way to route traffic from API management standard Version (which does have a Static IP) through to a service inside a VNet/Subnet though some configuration (other than network connection from the API Management blade).
Thanks in advance.
If you want to use API Management in the VNET then you are limited to Premium or Developer. However, the App Service Environment can have an external interface and API Management can talk to that.
You would need to add some additional security to your external interface to ensure only API Management has access. This could just be an IP filter rule.
Related
I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.
I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.
My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like
INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB
but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.
Thanks
As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.
VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.
In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.
Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.
If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.
If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.
We have it all documented here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview
https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal
How can I make the Azure Web App or web service to only through Application Gateway and disable direct access. So nobody will be able to access through the direct Fully Qualified Domain name such as mysite.azurewebsite.net?
Thanks for your help in advance.
You could set up Azure web app in the ILB Azure service environment. Azure ASE is a deployment of Azure App Service into a subnet in an Azure virtual network (VNet). This ILB ASE (Internal ASE) isn't exposed to the Internet. You can follow this blog to run an App Service behind a WAF-enabled Application Gateway.
This Web App isn't publicly accessible as it is sitting in a subnet
inside a Virtual Network and it isn't exposed to the internet. The
only way to access the site is through a Web Application Firewall
enabled Application Gateway.
Besides, If you just want to restrict public access to your Azure Web Apps with the IPSecurityRestrictions option, you can refer to this to get more references.
I have an on premise desktop application and I need it to hit Web APIs I have living in an App Service Web App (on an App Service Plan) in Azure.
My on premise resources are connected over a site to site VPN and I was wondering if there is a way I can call these Web API services(in an app service) directly over the VPN instead of going to the public endpoint.
The "normal" App Service Plan exists in a multi-tenant environment so this is not possible. You would need to use an ASE (App Service Environemnt) to use advanced networking features like VPN and NSG.
I have a .NET Web Api project with several REST endpoints that I only want accessed by resources from within an Azure virtual network I have created. Resources such as Azure Functions and Azure Web Roles will access these endpoints only. In other words, I do not want the endpoints publicly available.
So, I configured the Web Api application with my virtual network but apparently I also need to add the Web Api application to an Application Service Environment (which are quite costly from what I have read). To quote the Azure documentation:
VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network.
Do I indeed need to use an Application Service Environment and just deal with the costs or is there another way I can achieve what I want?
I do not want the endpoints publicly available.
Until now, Azure web app only supports for using an internal load balancer with the app service environment feature. If you want to make your Web API can only be accessed internally. An app service environment is required.
If you don't want to move your Web API to app service environment and your Azure function and web role have fixed ip addresses, you could configure the IP whitelist using ipSecurity configuration in your web API. For more information of ipSecurity, link below is for your reference.
IP and Domain Restrictions for Windows Azure Web Sites
My company has several RESTful services that are behind a firewall. I would like to be able to access these services from the Azure cloud with a client app as if the service is located in Azure.
For example, if I have an on-premises url like:
https://onpremiseservice/Customers/1
I would like to be able to access it from Azure like
https://mycompany.azurewebsite.net/Customers/1.
Is this possible? Can I do some kind of URL forwarding?
Updated 26th September 2022
You have many options, here they are in order of ease of configuration vs performance (ExpressRoute being the hardest to configure but with the best performance).
Use Azure API Management it was designed for this use case.
Configure the on prem firewall so that your Azure web app outbound IP's can connect to the on prem API. Then create a Web API in the Azure web app that proxies calls using HttpClient to your on perm API.
Use a Hybrid Connection
Use Point-to-Site VPN
Use Site-to-Site VPN
Use ExpressRoute
More information on your options in depth
It is possible. Use Azure Service Bus Relays.