I've been searching for this for days and finally found most of the answer in this document https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-control-inbound-traffic
It says that you can block ports to your web application service in Azure using a network security group. However, it says I have to keep some ports open.
e.g. "454: Required port used by Azure infrastructure for managing and maintaining App Service Environments via SSL. Do not block traffic to this port. This port is always bound to the public VIP of an ASE."
The question is does this port need to be open to the entire world? One of the options is open to virtual network (what virtual network is this?) I only want it open to the Azure infrastructure. How can I do this? What does VIP of an ASE mean?
Thanks,
Bestist :)
The question is does this port need to be open to the entire world?
It depends on your demand. If you want entire world(Internet) to access your app, you need open it.
what virtual network is this.
An Azure virtual network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. More information please refer to this link.
I only want it open to the Azure infrastructure. How can I do this?
Yes, you could do it. You should add Azure data center IP ranges to NSGs.
If you only want your virtual network devices to access your app services, you could configure NSG such as below:
What does VIP of an ASE mean?
VIP:A VIP is the public IP address associated with a VM. More information please refer to this link.
ASE: App Service Environments. More information please refer to this link.
Related
Right now we have multiple resources like storage accounts and key vaults where the team is using the firewall setting within the networking tab on the individual services. This means when their ip changes after a disconnect/connect to the company VPN they have to go in to each service and add their new IP address.
Not being well versed in Azure networking possibilities, what are some of the options we have to allow a group of incoming IP addresses to be able to access all these services without having to individually touch each service to add their new ip address?
All services are also on the same virtual network.
Thank You
I used to work on Azure Cloud services as a DevOps in the past.
There should be multiple ways to control incoming network traffic to your landing zone or azure resources. But you should consider your requirements meet the solution.
Here are few you could take a look at which I used:
Virtual network service endpoints
Azure Firewall
Network Security Groups
ExpressRoute
Hey all I've been trying to look into whether this is possible or not.
I was working with Infra-Engineering to setup a VNet with peering to the on-prem network. Everything was smooth sailing until we found out that the Azure Sandbox for Function Apps blocks the SMB ports. I saw a reply on this thread: https://learn.microsoft.com/en-us/answers/questions/290531/how-can-i-access-a-on-premise-network-file-share-d.html
that if we use a Container App that we would not have this restriction. Can anyone corroborate this? I just want to get some insight before committing to trying this out.
In short - you need a VPN/Express Route connection to on premise, the container app needs to be in a VNet peered with the VPN VNet (if separated), a DNS server able to resolve on-premises DNS records, if there are firewalls, NSGs involved you will also need access rules there, and obviously the IP address ranges need to be routed (BGP or Static) and should not overlap
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-container-apps-virtual-network-integration/ba-p/3096932
https://learn.microsoft.com/en-us/azure/architecture/hybrid/hybrid-dns-infra
Im trying to Add existing virtual network on the screenshot above in Azure, but when I select the Subscription, the virtual network I want to connect to does not show up.
I had a google but couldn't find much to help, can anyone help me understand why my azure vnet cannot be attached at the moment and what needs to be changed on it to allow me to add it?
Virtual Network Rule has some limitations, you need to make your environment does not contain any of the following:
You can only add virtual network which has the same geographic region with your Azure logical SQL server. For example, if my logical SQL server is in Southeast Asia but my virtual network in East US then I will not be able to see it listed when adding a rule.
Rule can only be applied with Azure Resource Manager.
Rules cannot be applied with S2S VPN or ExpressRoute.
Moreover, to fully utilize virtual network rule, you need to also enable Microsoft.SQL service endpoint on your subnet. Click Service endpoints > Add. Choose service and subnet you want to enable service endpoint. Currently (as of this answer) only Storage and Azure SQL are available. Note that this is not actually required to do here, when adding existing virtual network (from logical server) you are given an option to enable service endpoint.
On Azure, I have a two-VM set (both classic), whereby my web application resides on one VM, my database on another. Both map to the same DNS and belong to the same Resource Group, but both are acting as standalone cloud services at the moment. Let me explain: currently the web application communicates with the database over the public DNS. However, I need them to be on the same lan, so I can de-risk security and improve latency.
I know for a fact that they're not part of a virtual network because when I try to affix a static private IP to my database VM, I'm shown the following prompt in the portal:
This virtual machine can't be configured with a static private IP
address because it's not deployed in a virtual network.
How should I proceed to fix this misconfiguration and what should my next concrete step be? The website is live, and I don't want to risk service interruption. Ideally, both VMs should be in the same virtual network, and should communicate with eachother via a static internal IP. Please forgive my ignorance. Any help would be greatly appreciated.
I guess i'll be the bearer of bad news. You have to delete both VMs while keeping the VHDs in the storage account, then recreate the VMs (reattaching the disks) in the Virtual Network.
Since these are Classic VMs you can use the old Portal when re-creating them. You'll find the VHDs under "My Disks" in the VM creation workflow.
Alternatively, just restrict the inbound access with an ACL on the database Endpoint. Allow the VIP of the first VM and deny everything else. This is good enough for almost any scenario, since if your Web Server gets compromised it's game over. It makes no difference how they exfiltrate stuff off your database (over a VNET or over VIP).
Here's the relevant documentation page for setting up Endpoint ACLs:
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-classic-setup-endpoints/
So we are starting to move to the cloud and our biggest concern is security, as it should be. The thing that I am not sure about is how to secure the end points from public (interent) access? Is this even possible or is there something else we can do to keep the environments in Azure out of the public eye?
This question is likely better suited to server fault. But until then...
In Azure IaaS V1, you can specify IP based ACLs (access control lists) to restrict inbound traffic.
In both IaaS v2, you can leverage NSG (network security groups) to help restriction trick into and out of specific VMs or virtual network sub-nets.
If you are using Azure Express Route (a leased line into an Azure facility), the VMs can be addressed directly from within the virtual network connection and don't need to have publically exposed endpoint.
Then there's also all the usual options such as securing the connections on the VMs themselves. :)
If you are using Azure Resource Groups along with your VMs (which is available on the new portal) you cannot use endpoints because it's not available there, so you should do the following to open up the HTTP port or ANY other port:
(Sign in to your account on the new portal)
1- Select the VM that you want to manage ports on.
2- In settings, click on Network Interfaces and select your network.
3- Go to Network Security Group and select your group.
4- Add Inbound or Outbound security rules depending on what you need.