I'm trying to enable Azure DocumentDB firewall by enabling the "Enable IP Access Control".
I managed to allow connections from my App Service. However the webjobs that reside on the app service does not have access to the Azure DocumentDB.
Is there a way to allow web job access to the DocumentDB?
thanks
Is there a way to allow web job access to the DocumentDB?
In short, no.
If we want to enable firewall blocked access policy, we need to add the allowed list of IP addresss or IP address ranges.We can get more info from document. But the Azure WebApp IP is not static.
all of access to your Azure Cosmos DB database account from machines outside the configured allowed list of IP address ranges are blocked
I managed to allow connections from my App Service
If it is meaning that you have turn Allow access to Azure Portal on.
If it is that case, it doesn't mean that we can access DocumentDB from Azure other services, it means that we can peform operations on the collections or docuemtns within account from azure portal.
Without portal access enabled, you will not be able to perform any operations on collections or documents within this account from the portal
In summary, if we want to allow web job access to the DocumentDB then we need to
trun Enable IP Access Control off. Or we could use Azure cloudservice or virtual machine to instead of WebJob.
Edit:
According to your comment, if we want to use the same IP as WebApp, we could use the outbound IP, we can get them from the azure resources(https://resources.azure.com/) then add the outboundIpAddresses to the DocumentDB allowed IP list. Then webjob could access to the DocumentDB.
Note: The outboundIpAddresses are not static ips, they may be changed when we restart the WebApp or change WebApp service plan.
Related
Intro:
I have an asp.net core app service hosted in Azure.
This app service has an API controller that reads/writes to an Azure Table Storage.
The code for this is using Azure.Data.Table library w/ an Access Key that i setup from the Azure portal (for the table storage).
Now, under the storage account / Networking blade, I have selected the "Enabled from All Networks".
Question:
Does this mean this storage account is open to the entire internet? I am confused whether this is secured because my code is accessing it via the Access Key (which I mentioned above).
Thank you.
Regarding the settings above, Enabled from all networks means the storage account endpoints (i.e. blob, table, queue, etc.) will accept traffic from the internet but you still need access key to view any data.
Enabled from selected virtual networks and IP address means that traffic will only be allowed from resources on the same VNET or specific IP address that you've configured e.g. your local device public IP provided by your ISP. This is a more secured method because you essentially whitelisting your what can connect.
Disabled means nothing outside of Azure can access the storage account and you will connect via Private Endpoint.
If your access key is inside your code, then this isn't the best secured method. You would want to have your connection with access key in either Application Settings so it can be retrieved as an environment variable or through Azure Key Vault. Using Key Vault allows you dictate what service or user can retrieve that value.
I will suggest assigning the system assigned managed identity to the app Service. Then use the resource instance rules for storage setting to configure the firewall https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-azure-resource-instances
I am currently working with a client that requires access to all Azure resource locking down as much as possible and I am having problems with the Storage Account that is utilised by our Azure Functions.
With the Firewalls and Virtual Networks blade in portal set to "All Networks" I am able to deploy to the Function App and it runs without issue.
However once I enable the access restriction by checking "Selected Networks"no matter what virtual network subnets I enter or IP Addresses I can not get the communication to work
I have entered the Outbound IP Addresses of our Consumption based Function App and also check that the additional IP Addresses from the Powershell and all have been added to the whitelist. I have also added all the CIDR IP ranges of the local Azure datacenter but again it does not work.
The problem we have is that once the access restrictions have been put into place we are unable to deploy to the Function App and the app no longer runs. Is this scenario supported and what is the mechanism for tying down access to the Storage Account so that only the Function App can utilise it.
As far as I know, you have two options to restrict access to your storage account from your function app or web app.
Whitelist the outboundIpAddresses and possibleOutboundIpAddresses of the function app in the firewall of the storage account. However, it does not work if the Azure function app and Azure storage located in the same region refer to Sam's answer.
when you hit the storage account from your function, because they are
in the same region as each other, all the traffic goes over the
internal Azure network on internal IP's, not the public IPs listed in
the web app, and so is not allowed over the firewall.
If your resources were in different regions, you could use the network section of function app to allow function app to access resources in a VNet, then enable service endpoint for Microsoft.Storage in this app integration subnet. But you need Azure Functions Premium plan referring to this tutorial: integrate Functions with an Azure virtual network.
Sometimes, the deployment order for networking is important. In this case, you will deploy the followings:
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the function app is restarted, you could enable service endpoint for this subnet. In the end, you could add the subnet in the firewall of the storage account.
Note that the new version is in Preview, currently. You could also check these characteristics and get more references from this thread.
I have to restrict public access to my Azure app service, Hence I have implemented IP whitelist in web config. Is it required to whitelist the Azure datacenter IP ranges?
My app service uses Azure SQL, redis and search service.
Short answer to your question is no, you will not need to add Azure data center IP addresses for using Azure services. Only case where you need to add IP addresses to the allow list is when a service/application tries to access your web application and not the other way round.
Given your objective to restrict public access, you should definitely consider using the IP restrictions feature from Azure Portal. Microsoft has improved this feature and it's better than having just the web.config <ipsecurity> configuration,
With Azure App Service IP restrictions, traffic will blocked even
before it reaches your IIS.
You can still continue to use your web.config configuration as it is.
Configuration effort is pretty minimal as it's all available through portal
Read more about it here
Azure App Service Static IP Restrictions
For a time, the IP Restrictions capability in the portal was a layer
on top of the ipSecurity capability in IIS. The current IP
Restrictions capability is different. You can still configure
ipSecurity within your application web.config but the front-end based
IP Restrictions rules will be applied before any traffic reaches IIS.
I have an Azure Storage account and need to enable the storage firewall.
I have added the outbound IP addresses of my App Service, but the firewall still prevents access. (I know that these addresses can change, but they change predictably, so I can live with that.)
Is there a solution to grant an App Service access to the Storage account other than disabling the firewall (and other than using an ASE, which isn't an option)?
So it turns out that in a new Azure Storage account with a new App Service, setting the storage firewall to the outbound IPs of the App Service does work as expected. Unless the client browser is actually doing the download, adding the client's IP is not required.
Edit
This only works reliably when the storage account is in a different data centre to the App Service. When they are both in the same data centre, an internal outbound address (e.g. 10.x.x.x) is presented from the App Service to the Storage account. Internal addresses cannot be added to the Storage firewall.
If you access your web app service from on-premises networks, you need to grant access from your on-premise networks to your storage account with a public Internet-facing IP address used by your network. You can get more details from Grant access from an internet IP range
If you have VNet Integration with your apps. You should first enable service endpoints for storage in the VNet. You can refer to Grant access from a virtual network.
I have VNET with DMZ and multiple internal subnets configured. There is security requirement to block all the outbound internet connection for the internal subnets.
Now, this VM needs to access Azure blob storage which hosted in the same region.
I am wondering to access Azure Blob storage without outbound internet connection.
Pondering on questions like
1) Can I attach Azure Storage account in my azure VNET
2) Can there is existing solution, where I am access internet via JUMP-BOX network configuration, where my VM internet traffic goes via Jump box
3) Can this be achieve via Network ACLs or some better solution?
Now, this question is mix of networking and azure services, not sure of the right forum for this, server-fault or stack-overflow?
Azure Storage uses a public endpoint, as it's a multi-tenant service. You cannot add your Azure storage account to your VNet, since this is not an endpoint you control.
You'll need to access storage directly, via its <storagename>.blob.core.windows.net endpoint. How you ultimately accomplish that is up to you.