For several days I am experiencing that Azure Web Services is receiving many requests in seconds. Due to this Website is not able to load.
Since many days I am experiencing that Azure Web Services is receiving many requests in seconds.
You could check the request logs by enable Web Server Logging in Azure Portal. By researching the log, you could know whether the requests are from legitimate users or programs. If they are from trusted users or programs, you could scale up or out your web app to meet the large number of requests.
If the requests are from attackers, you could block these kinds of requests by configuring Dynamic IP Address Restrictions(DIPR). The DIPR feature provides two main protections for developers:
Blocking of IP addresses based on number of concurrent requests
Blocking of IP addresses based on number of requests over a period of time
For more information, link below is for your reference.
Configuring Dynamic IP Address Restrictions in Windows Azure Web Sites
If IP addresses of the requests are stable, you can also block these addresses or a range of IP addresses using ipSecurity configuration. For more information, link below is for your reference.
IP and Domain Restrictions for Windows Azure Web Sites
Related
We constantly receive SQL injection attempts and other web app attacks from bots.
The IP addresses from this bots are blacklisted at AbuseIPDB.
I would like to know how could I automatically block all IP address blacklisted at AbuseIPDB from all my Azure App Services, does Azure have any feature to automate this process?
Also, is it possible to automatically block an IP address from sending requests if they made a specific amount of invalid requests in a given period of time?
Using Only Web App you can use powershell / REST API to add IP Restrictions:
https://learn.microsoft.com/en-us/rest/api/appservice/webapps/createorupdateconfiguration#ipsecurityrestriction
https://moimhossain.com/2018/07/31/azure-web-app-removing-ip-restrictions/
For a better management in terms of throttling you can use API Management in front of your App Service:
And apply the following policies:
Restrict caller IPs
IP Address throttling
You can automate the changes through API Management REST API: https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/apipolicy/createorupdate
PS: the API Management may be expensive, but it has a pay per consumption mode that can save you some money and deliver what you want.
I have App Service which is classic web app written in Node.js. Let's say that my app have 2 endpoints: /SecuredEndpoint and /ClassicEndpoint. /SecuredEndpoint should be secured, meaning only certain IP addresses are allowed to access it. ClassicEndpoint on the other hand is public to whole internet.
I've found out that in Azure I can specify Access Restrictions to whole service for certain IP addresses (I can block/allow access based on IP address). But I would like to secure not the whole app but only certain endpoints.
Can someone help me how can I achieve that in Azure?
To restrict certain IP addresses is to restrict ACL in the networking layer. Access Restrictions are effectively network ACLs. However, it is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. In this case, you could consider selecting to use two app services for each endpoint. You can read supported security in the Azure app service.
Alternatively, you may allow certain IP addresses in your special code. Google some samples for such a feature. It might be like this SO thread. For App Service on Windows, you can also restrict IP addresses dynamically by configuring the web.config. For more information, see Dynamic IP Security.
In addition, If you are interested in securing Back-end App Service Web Apps with VNets and Service Endpoints, you could have a look at this blog.
Given that I create an Azure 'App Service'
How do I ensure that this service is only callable from ...
A.> 2 existing external servers (whose IP addresses will be known)
B.> 3 other App Services which I will be creating, but whose IP Addresses may not be known since I may need to scale those out (Over multiple additional instances)
To clarify... Is there some Azure service that will allow me to treat this collective of machines (both real and virtual) as a single group, such that I can apply some test on incoming requests to see if they originate from this group?
on Azure WebApps, You may wish to know; the IP Restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions) allow you to define a list of IP addresses that are allowed to access your app. The allow list can include individual IP addresses or a range of IP addresses defined by a subnet mask. When a request to the app is generated from a client, the IP address is evaluated against the allow list. If the IP address is not in the list, the app replies with an HTTP 403 status code.
You can use IP and Domain Restrictions to control the set of IP addresses, and address ranges, that are either allowed or denied access to in your websites. With Azure WebApps you can enable/disable the feature, as well as customize its behavior, using web.config files located in their website.
Additionally, VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network. Private site access is only available with an ASE configured with an Internal Load Balancer (ILB).
If you haven’t checked this already, checkout Integrate your app with an Azure Virtual Network for more details on VNET Integration (https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet)
I strongly suggest dropping the whole what's my IP approach and throwing in OAuth. Azure AD gives you access tokens with moderate effort —
Service to service calls using client credentials (shared secret or certificate)
Else, TLS client authentication would be next on my list. Although that tends to really suck if you have to deal with several programming stacks, TLS offloaders and what not.
I have a Azure Traffic Manager over a geo distributed cloud service. I need to lock down my cloud services which are primarily web apis so that they are accessible to only a certain range or IP ADDRESSES. Is there a way to achieve this? Or may be there are ways to restrict IP addresses on cloud services. But with a combination of traffic manager on top of that would that work?Does traffic manager flow the source ip address to the cloud services?
Traffic Manager cannot filter traffic. It just responds to DNS queries from clients.
The source IP address will be the original one because the traffic doesn't go through Traffic Manager, it only tells the caller where to go, and the caller then calls your service directly.
Late to the party but: if you ended up using a whitelist on for example an Azure App Service than you will need to add the addresses of Traffic Manager as well. Otherwise Traffic Manager will not be able to check the health of your App and report it as degraded.
You can find it here: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-faqs#traffic-manager-endpoint-monitoring
Direct link: https://azuretrafficmanagerdata.blob.core.windows.net/probes/azure/probe-ip-ranges.json
Also late to the party but we were restricting our App Services by IP address and all of a sudden our traffic managers started to display degraded after working fine for years. After lots of investigation we think that Azure added some new traffic managers that were on different IP addresses so they were getting blocked by our IP restrictions. The original restrictions had included a small range of IP addresses for the traffic manager but this list looks like its expanded. The best solution is to allow the traffic manager through, not based on its IP address buts its service tag as below :
Fast question is it possible to have Azure Traffic Manager
I would like to rent dedicated servers in 3rd party suppler and to load balancer from Azure
Question 1:
Can I setup this scenario? and use the load balancer from Azure?
Question 2:
Will I pay Outgoing bandwidth
Question 3:
Will you share for website with 10 000 000 page views per month how much you pay for DNS look ups as average.
Question 4 please suggest same service competitors... Google, Amazon, Rackspace I already know
The link you provided to the article already answers #1 and #3. Yes you can set this up. Billing is done by DNS lookup at $0.75 per million lookup, so your 10m page views will cost at most $7.50, but this isn't taking into consideration DNS caching which will drastically lower this (already very low) cost.
Question 2 is not an Azure Traffic Manager related question. No bandwidth goes through ATM so there is no charge. I am sure you will pay bandwidth charges with whatever 3rd party datacenter provider you are going to use.
I don't understand question 4. What do you want suggestions for? A cloud provider? There are lots of good ones but it depends on your scenario.
Azure Traffic Manager is a DNS routing system. It is similar to the routing features of AWS Route 53 (although Route 53 is a more full-featured DNS system).
Azure Traffic Manager uses DNS to point incoming traffic to different endpoints, which can be either within Azure or external urls. Because it uses DNS, it doesn't actually see any of the data itself, it just translates something like myapp.trafficmanager.net to 'webserver1.example.comorwebserver2.example.com` based on your rules and setup.
You can use round-robin, weighted or performance (which directs to the geographically closest address you have setup). You can further use Azure's DNS or another DNS system to use your own (sub)domain to CNAME to the trafficmanager.net domain name.
Load balancers like Azure Load Balancers and Amazon's Elastic Load Balancers are used to actually spread the traffic itself to different machines or services. Each work only with services hosted with the cloud provider so Azure Load Balancers can be used to load balance Azure VM's but not some servers you have hosted elsewhere.
Load balancers have bandwidth charges because they actually pass through the traffic. Azure Traffic Manager just has DNS query charges because that's all it does.
In your case, yes you can use Azure Traffic Manager to point to several external endpoints for your dedicated servers. You can also nest Traffic Manager profiles so that you can first use geo-location then round-robin. Azure Traffic Manager does support basic http/https monitoring to make sure the endpoint is still active.
Because it is based on DNS, there will always be a lag between changes with the TTL value and how clients cache DNS addresses. This is inherent with all DNS routing. To be extra safe, you can use Azure Traffic Manager to route to your datacenter and then run your own load balancing software locally to spread the load among servers.