Trying to secure an API apps endpoint without Azure Active Directory. I have seen examples of NSG for securing SQL Server endpoints.
But with PaaS services (web apps / api apps/ logic apps) since they dont have VNETS I am bit confused as to how NSG will restrict traffic.
On Api app blade I see a "Networking" option and clicking that takes me into setting up VNET integration. When I click VNet setup starts gateway setup and configuration.
Has anyone done something similar where they secure backend api services using NSG and not API Gateway or AAD authentication.
Thanks !!
If you integrate the app service with a vnet, you can use NSGs to restrict the traffic, but only for the traffic connecting via the private network. vnet integration works with a vpn connection, hence the required deployment of a gateway on the vnet.
In this setup, the api app will still be accessible on the internet and that traffic will not be affected by the NSG, since it does not touch the vnet.
If you want to secure incoming traffic based on network origin you could implement that in application, but I would recommend against relying solely on that for security.
Related
I deploy my web application to an App Service instance on Premium tier. My web application makes outbound requests to external resources on the Internet.
In order to secure the connection with one of these external resources so I can reach it with a private IP address, my plan is to create a Site-to-Site VPN from Azure to Oracle Cloud Infrastructure (where the external resource resides). Then, I plan to use the VNET Integration for outbound traffic and connect my App Service to my VPN.
My question is - will the web application still be able to reach the other external resources on the Internet with their public IPs? I believe the answer is related to routing tables but I can't wrap my mind around it.
Just because you integrate a Regional VNet (I'm assuming) doesn't mean the app service won't be able to make outbound connections. Pretty much like
When you integrate your app service with your VNet that has the site-to-site VPN, traffic from your app service will traverse the Azure network rather than going out to internet, assuming your app service is using an RFC1918 address for your infrastructure. If you want to secure the traffic even further, then your app service would need to be hosted inside an App Service Environment
I have 2 app service plans in the same Azure region running 1 app each - web frontend on one, API on the other.
I want to use access restrictions on the API to only allow access from the front end app.
I set access restriction rules using all the outgoing IP addresses associated with the frontend app (I note that these are exactly the same as the outgoing IP addresses on the API app as well) however when the frontend app tries to contact the API I get an error:
403 forbidden 'The web app you have attempted to reach has blocked your access.'
The 2 apps can communicate as normal when the access restrictions are removed.
I turned on diagnostic settings and ran a query on IP blocking by the app.
Turns out that the FE app is using an IPv6 address instead of the v4 addresses listed in the app properties.
This is because the app has a vnet integration set up connecting to a Subnet delegated to Webservice/serverfarm.
Azure does not make it obvious that using delegated subnets forces an integrated app to use IPv6 and there does not appear to be a way to discover what v6 addresses may be in use. MS forum response suggests any firewall rule for a web app attached to a delegated subnet should allow ALL IPv6 addresses (!!) as a way of working around the problem.
https://learn.microsoft.com/en-us/answers/questions/493483/why-is-my-azure-web-app-showing-an-ipv6-outbound-i.html
You can control the IP address of outbound traffic from your FE web app by using regional VNet integration together with a virtual network NAT gateway to direct traffic through a static public IP address. Regional VNet integration is available on Standard, Premium, PremiumV2 and PremiumV3 App Service plans. To learn more about this setup, see NAT gateway integration.
Once you FE web app has a static IP you can use that on the API web app restriction in an ALLOW rule.
If your requirement fits, you may also leverage Service Endpoints.
With service endpoints,to ensure inbound traffic to your API app comes only from the subnet used by your front-end web app.
With this route, you need to use VNet Integration with your front end app and service endpoints with your API app. Set service endpoints on the integration subnet used by your Front End application. This solution is fast to set up and easy as well.
-This feature works together with IP access restrictions. Service endpoints aren't compatible with remote debugging. There are some considerations you need to make, you may take a look at them here and also other combination of networking features available on App Service and related scenarios.
As a side note:
-IP-based access restriction rules only handle virtual network address ranges when your app is in an App Service Environment. If your app is in the multitenant service, you need to use service endpoints to restrict traffic to select subnets in your virtual network.
-On App Service, you could have those two separate apps in the same App Service Plan (ASP), since you pay only for ASP, saving costs.
So, you can continue to add apps to an existing plan as long as the plan has enough resources to handle the load. The apps in the same App Service plan all share the same compute resource.
We have set up a VPN gateway and used it to connect an on-premise network with an Azure VNet. We have successfully tested a number of scenarios
communication from VMs to on-premise DBs
communication from on-premise computers (desktops and servers) to VMs (SSH etc.)
communication from on-premise computers (desktops and servers) to services with Private Link endpoints (App Serivces, DBs etc.).
The use-case we are now attempting is to access an on-premise DB from an app-service. I have integrated the app-service to the routed VNet and also added a service endpoint to this VNet. I have seen infos that this should work but it is not getting though.
A second question is what is the actual source ip of the app-service when it connects to the on-premise server. Surely not the outbound IPs? These are non-exclusive public IPs. Opening these on our VPN firewall would be a risk. In this case is the solution to also give the app service in question a private link endpoint. Will it's source IP then be the private IP of the PL?
Private Endpoint is only used for incoming flows to your Web App. Outgoing flows will not use this Private Endpoint, but you can inject outgoing flows to your network in a different subnet through the VNet integration feature. When you enable Private Endpoint to your Web App, the access restrictions configuration of the Web App is not evaluated. So in this case, I don't think you need to set the service endpoint Microsoft.Web for your web app if you have set it. Reference from using Azure private endpoint for Azure web app.
When regional VNet Integration is enabled, your app makes outbound calls to the internet through the outbound addresses that are listed in the app properties portal. Regional VNet Integration works by mounting virtual interfaces with addresses in the delegated subnet. If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be sent into your VNet. So the source IP address will be from the integrated subnet when app service comes to the on-premise server as the #silent's comment. Reference from how regional VNet Integration works. Please note that the feature supports only one regional VNet Integration per App Service plan.
I have azure app service which runs .net core web api. This api access several external API s to get data and those external services has to whitelist the outbound ip addresses of my app service.
Azure app service has several outbound ip addresses and it can be change when upgrade/downgrade app service or when make internal changes like changing app service plan or resource group.
Is there any solution in azure to setup this app service behind a forward proxy ?, so i can share the IP of the forward proxy to external parties.
I think the best way would be to add all App services under a virtual network and create a Virtual Network Gateway to all outbound connections.
This would potentially need below azure services to be created:
- Virtual network
- Subnet
- Virtual Network gateway
- Routing tables (to route traffic via Gateway)
A better way would be sharing a domain name rather than IP address. Here's how to configure it directly in the Azure Portal:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
You can also add an API Management in front of your web app and use it as API gateway and also apply policies on it.
https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain
I've got an Azure app service that I'd like to use to run some software that requires licensing. The license is provided via a server on our internal network. The issue being finding a way to connect to this server.
The first option is to provide a fixed license that ties to the MAC address. However I don't think this will be possible from an app service, as it does not really have a MAC address? Can I provide a VNI to it and obtain a fixed MAC address that way?
What other options are there? Can the app service be tied to a VNET that can tunnel to the on-premises resource? Should I use a VM with a VNI instead of an app service? Any resources on these kind of problems would be appreciated.
I have used Azure Relay to connect my on-prem service with my app service. Not sure if you have already considered this option.
If your requirement is to establish a connection between your on-prem service and you app service, check out this https://learn.microsoft.com/en-us/azure/service-bus-relay/relay-what-is-it
Hope this helps
You could use VNet Integration with Azure App service and Azure VPN gateway to connect to on-premise resources. VNet Integration is used only to make outbound calls from your app into your VNet. There are Regional VNet Integration and Gateway-required VNet Integration.
How regional VNet Integration works
Regional VNet Integration works by mounting virtual interfaces with
addresses in the delegated subnet. Because the from address is in your
VNet, it can access most things in or through your VNet like a VM in
your VNet would. The networking implementation is different than
running a VM in your VNet. That's why some networking features aren't
yet available for this feature.
How gateway-required VNet Integration works
Gateway-required VNet Integration is built on top of point-to-site VPN
technology. Point-to-site VPNs limit network access to the virtual
machine that hosts the app. Apps are restricted to send traffic out to
the internet only through Hybrid Connections or through VNet
Integration. When your app is configured with the portal to use
gateway-required VNet Integration, a complex negotiation is managed on
your behalf to create and assign certificates on the gateway and the
application side. The result is that the workers used to host your
apps are able to directly connect to the virtual network gateway in
the selected VNet.
For more information, you could read this blog---How to Connect Azure Web Apps To On-Premises
In addition, If you need more control of the application deployment and less scale out or in than the Azure app service. You could host your application on the Azure VM, then set up a VPN gateway in that VNet where Azure VM locate, it allows access to the on-premise resources from your Azure VM as usual in the internal network.