I am more a C# dev than a network admin and I am not understanding what happened.
I have a website hosted on an Azure Web App and I started to get a lot of repetitive requests from IP address 172.16.5.1, to a point that it affected the web server stability
The only way I found to fix the problem is to block this IP address, but I still have questions.
1) Is blocking the IP the best solution to the problem?
2) After googling, I found that this IP address is in the range of Private IP addresses. How can a private address reach my public web server?
3) Could it be another resource from my Azure subscription that could be making these requests?...I only have a web app configured so I don't know where these requests could come from internally
4) Can this be a DDoS attack?
This IP Address is private range as you found it, but needs more information to answer your couriosity.
I could say that’s not the best solution, you need to find out which resources on your Azure that use that IP and see why it sends a request to Web App.
This is possible when your Web App connected to the Virtual Network, discuss with your Network Admin or System Architect.
I’m quiet sure that your Web App is connected to Virtual Network or could be another instance of your Web App requesting each other.
I’m not quiet sure that was an external DDoS attack.
That appears to be the default gateway for a subnet. Check the Networking blade to see if you are integrated with a VNet. I would expect that probes from something in the VNet (AppGW, Azure Firewall, NVA, etc.) would come from the instance IP of that resource and not the default gateway, but you really need to see the subnet range and know what's in there. If this is a WebApp that is integrated with a VNet via point-to-site VPN, then maybe this is something from the VNet Gateway, like Keep Alives. That might be apparent in a network trace. Blocking that IP could result in some other service marking the WebApp as unhealthy and not routing traffic to it.
Lots of conjecture here, but like Rudy said, you're not getting an external DDOS attack from a private IP.
I have an Azure Scheduler Job which calls a REST endpoint over https.
The REST API is locked down by IP address so it's currently (and understandably) failing. So I need to add the Scheduler Job IP address to the API firewall.
The problem I have is I can't seem to find the IP address anywhere in the Azure Scheduler web interface.
Am I missing something or is it not possible to get the IP address in same way you can for other Azure resources (web apps, worker roles etc)?
Unfortunately Azure Scheduler does not reserve static IP, so the IP will change from deployment to deployment as we ship new changes. You may consider Logic Apps, which also supports calling REST endpoint over HTTPs, and does have static IP. See this link for more details: https://learn.microsoft.com/en-us/azure/app-service-logic/app-service-logic-limits-and-config?toc=%2fazure%2flogic-apps%2ftoc.json#configuration
Very late to the show but incase anyone else stumbles across this again, the IP addresses from the Azure Resource Explorer should get you what you need. See here for details on getting the IPs. You can also add the IPs for the relevant Azure Data Centers to your allow list if necessary.
I'm using Azure App Services that calls an external API that uses white-listing of IP addresses for defense-in-depth protection.
I'm aware I can find my Outbound IP addresses of my App Services under the WebApp -> Settings -> Properties -> Outbound IP addresses (showing a list of 4 comma separated IP addresses) which can be supplied to the external API whitelist. I understand Microsoft publishes a regularly updated list of Azure datacenter's IP addresses for outbound traffic that I can whitelist: https://www.microsoft.com/en-us/download/details.aspx?id=41653
The issue is the external API can only handle a number of IP addresses and not the full list of Azure datacenter IP's. Would it be safe to just provide the 4 comma separated IP addresses? Is there clear Microsoft documentation on how often or when the IP address can dynamically change?
I have tried to look for the answer and found two external sites that suggested it only changes when moving Azure regions [Ref 2] or if you scale up/down (but scale out/in is apparently fine) [Ref 1]. Is this correct information?
Is the Azure App Services Environment the only other viable alternative in my situation?
Late to the party on this one but just to flesh this out:
Unless you use an Application Service Environment (ASE) you cannot guarantee that the inbound or outbound IPs will change, however there some differences between inbound and outbound IP addresses.
When does an Inbound IP change?
Inbound IP will change when:
Delete an app and recreate it in a different resource group.
Delete the last app in a resource group and region combination and recreate it.
Delete an existing SSL binding, such as during certificate renewal
However, this can be countered by getting a static IP for inbound connections configure an IP-based SSL binding - you can even use a self-signed cert if you're not using any SSL functionailty.
Outbound IP addresses
This is where you sit and it's the space that is a little more volitile, this is from the docs directly:
The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier.
So in a nutshell if you will never scale up or down then you should be fine.
Edit: Re-reading the above and with a little test it looks like it's saying that the IPs will not change unless you ramp right up to the Premium V2 tier from a lower tier (or vice versa). A cursory test backs this up so:
Running under F1 free tier and scaling up to P1v2 gave me the following IP addresses:
Scaling back down to any of the lower tiers reverted the IP addresses to the same as the F1 tier.
Possible remediation
A very solution specific example but in-case it helps - where I've solved this before is monitoring the outbound IP addresses for the webapp, if it notices a change then it could send those IP addresses to a whitelist for update via an API call - but this could also just cause a high priority ticket to be raised.
I should note that we could do this because it wouldn't be the end of the world for a little bit of outage and we weren't expecting to scale up and down very often.
Otherwise, as you've noted, an Application Service Environment is your only belt and braces option.
References
When do inbound IPs change?
When do outbound IPs change?
Get a static inbound IP addresses
In addition to above resources about changes the other thing is that additional IP's might be added to accommodate additional capacity for outbound n/w calls.
Specific comment to look out for is "With the recent upgrades the Websites service has a stable set of outbound IP addresses allocated to each of its scale units. We continue to monitor network utilization and we might add (though never remove) additional IP addresses." by Stefan_MS
https://social.msdn.microsoft.com/Forums/azure/en-US/fd53afb7-14b8-41ca-bfcb-305bdeea413e/maintenance-notice-upcoming-changes-to-increase-capacity-for-outbound-network-calls?forum=windowsazurewebsitespreview
I've been trying to find an answer to this for a few days.
I want to host a new azure website in either the Basic tier or Standard tier.
The site will be calling a third party service.
I need to give this service provider an IP address that they will whitelist.
So when the new azure website makes requests to this service the IP address for the request needs to always be the same, as this will be the IP whitelisted.
I read that Azure offers "Reserved IPs" for cloud services and VMs but I wanted to know if something similar can be done with Azure Websites as I really don't want to go with cloud/VM.
My knowledge of networking is limited but as I understand it, if I were to get an IP SSL cert and apply that to my Azure Website then the website would have a static IP address.
If that is the case, would any requests to the third party service be hitting the service providers external firewall with this same static IP?
Thanks for any advice people can give.
An SSL cert with Web Sites will be tied to an inbound IP address. However, Web Sites does not provide a static outbound IP address.
If you need a static IP address to align with 3rd-party services, you'd need to have something residing in Azure (e.g. Application tier) running in a cloud service / VM that your web site accesses, and then have that app tier (with static IP address) communicate with your 3rd-party services.
As David Makogon's answer points out, applying an IP-based SSL certificate only gives the website a static inbound IP address.
However, the outbound IP address a website uses when making outbound network calls can be determined based on where your website is hosted. Microsoft has a list of the these IP addresses here. The third-party service would have to whitelist all of the IP addresses used by the scale unit your website is hosted in (e.g. waws-prod-am2-005).
Correct me if I am wrong, but the information shared by Brant Bobby above shows that, in fact:
All Azure websites (/Web Apps) already have a discoverable and published outgoing IP address.
This outgoing IP address will never be unique to their own site however. So one must keep in mind if they use it for a white-list, it will be allowing in a lot of other Azure visitors hosted on the same scale unit.
Simply get the so-called "scale unit" name for your site, which is the same as what's given in your site's FTP address (and so forth), which is in the format: "waws-prod-[3LetterVar]-[3DigitNum]", e.g. waws-prod-blu-007.
As an example from that article, all the East US region Azure websites can find the four IP addresses their site may rely on as follows (so if white-listing, all 4 should be white-listed):
East US Region
Outbound IP addresses for each scale unit, currently 4 for each. They said they may add more IPs to each scale unit in the future, but these should not change.
waws-prod-blu-001: 168.62.48.13, 168.62.48.19, 168.62.48.33, 168.62.48.122
waws-prod-blu-003: 137.117.81.128, 137.117.81.142, 137.117.81.181, 137.117.81.82
waws-prod-blu-005: 137.117.80.189, 137.117.81.52, 137.117.81.90, 137.117.80.178
waws-prod-blu-007: 23.96.33.205, 23.96.34.196, 23.96.35.20, 23.96.36.229
waws-prod-blu-009: 23.96.97.203, 23.96.97.233, 23.96.97.235, 23.96.97.238
waws-prod-blu-011: 23.96.112.60, 23.96.112.117, 23.96.112.152, 23.96.112.15
waws-prod-blu-013: 191.238.8.154, 191.238.9.80, 191.238.9.94, 191.238.9.170
waws-prod-blu-015: 191.236.19.222, 191.236.19.242, 191.236.21.165, 191.236.18.160
waws-prod-blu-017: 191.238.32.104, 191.238.32.154, 191.238.34.67, 191.238.35.12
waws-prod-blu-019: 104.45.138.197, 104.45.142.87, 104.45.128.144, 104.45.142.131
waws-prod-blu-021: 191.237.24.189, 191.237.30.36, 191.237.26.164, 191.237.28.161
waws-prod-blu-023: 191.236.50.206, 191.237.30.215, 191.237.25.148, 191.237.22.195
waws-prod-blu-025: 191.237.31.86, 191.237.26.176, 191.237.20.70, 191.237.18.239
Azure now supports having static outbound IP address as well.
https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-intro/
If we do not want to go for costlier App Service Environment setup, we can directly use the outbound IP addresses mentioned in the Azure portal in properties section, Azure assures that it remain 99.9% static. Nothing really changes until there is some changes data center wide. Moreover, the reserved Ip what we use in IaaS is also not 100% reserved for us and azure provides SLA of 99.9% here as well. So, In my opinion, instead of going for ASE and hosting IaaS and using reserved IP, we can just use outbound Ip provided by azure, since we get same reliability in both cases.
I have a WebJob on an Azure Website that needs to connect to a VM Endpoint to make REST calls.
My Endpoint is configured to deny all except my company's IP range. Now what rule would I need to add or url should I use so my webjob can connect to the endpoint?
I have tried the following without success:
Allow my website virtual IP address in the ACL
Connect to the endpoint using the internal IP instead of the DNS without changing
the ACL
Connect to the endpoint using the public virtual IP instead
of the DNS without changing the ACL
This works but is not what I am looking for:
Remove the current ACL and allow all
Keep the ACL but add a /16 rule with my website IP
Thank you for your help, and let me know if you need precision!
I need the same thing but it seems as though is not possible right now. Looking at this answer on a related question:
Azure Web Sites do not have dedicated outbound IP addresses for each
deployment. This precludes you from using ACLs or Virtual Networks to
connect to your Redis / Solr virtual machines.
So even though you can have a (reasonably) fixed incoming IP address on Azure Websites, the outgoing address is highly unpredictable and as far as I can see, the only exclusion that you could make was to restrict it to the entire range of IP addresses for that data centre which is far from ideal.
A solution moving forward will be to connect your Azure Website and the VM on the same Virtual Network. As of my writing this it is still in Preview so it still is not ready for production use just yet.
Here is more information on it: http://azure.microsoft.com/blog/2014/09/15/azure-websites-virtual-network-integration/