I just want to know if its possible to reference an internal expressroute onprem host for the back-end pool configuration of an application gateway.
The documentation is a bit vague on the subject.
Back-end server pool: The list of IP addresses of the back-end servers. The IP addresses listed should either belong to the virtual network subnet or should be a public IP/VIP. FQDN can also be used.
Thanks
Alex
Based on this, I believe it is possible to reference any IP address.
The Application Gateway routes the HTTP traffic based on its
configuration whether it's a virtual machine, cloud service, web app,
or an external IP address.
Related
Our website is hosted on the Azure Linux web app, the site pulls data from third-party vendors. So we need to whitelist our website IP address to their server but after adding the IP for whitelisting still getting 401 unauthorized errors.
We checked the vendor and the IP has been configured properly but why we are getting 401 errors while pulling data via API call.
The IP address we found from Azure Portal --> web app --> select properties and the virtual IP address.
Any help or recommendation will be helpful.
If I understand you correctly, you are trying to whitelist the web app against the firewall for the third-party vendors app?
If so, then the virtual IP address that you have added is the ingress IP address for the web app. You need to add the outbound IP addresses from the Properties blade for the web app to the vendor's firewall.
You should note that there can be up to 11 of these IP addresses. Also, if you scale the web app up or down to a different service plan, or perform any change that will result in a new scale plan, the IP addresses will change. This does not apply to scaling out to multiple instances.
Using a static IP address solved the problem.
I am more a C# dev than a network admin and I am not understanding what happened.
I have a website hosted on an Azure Web App and I started to get a lot of repetitive requests from IP address 172.16.5.1, to a point that it affected the web server stability
The only way I found to fix the problem is to block this IP address, but I still have questions.
1) Is blocking the IP the best solution to the problem?
2) After googling, I found that this IP address is in the range of Private IP addresses. How can a private address reach my public web server?
3) Could it be another resource from my Azure subscription that could be making these requests?...I only have a web app configured so I don't know where these requests could come from internally
4) Can this be a DDoS attack?
This IP Address is private range as you found it, but needs more information to answer your couriosity.
I could say that’s not the best solution, you need to find out which resources on your Azure that use that IP and see why it sends a request to Web App.
This is possible when your Web App connected to the Virtual Network, discuss with your Network Admin or System Architect.
I’m quiet sure that your Web App is connected to Virtual Network or could be another instance of your Web App requesting each other.
I’m not quiet sure that was an external DDoS attack.
That appears to be the default gateway for a subnet. Check the Networking blade to see if you are integrated with a VNet. I would expect that probes from something in the VNet (AppGW, Azure Firewall, NVA, etc.) would come from the instance IP of that resource and not the default gateway, but you really need to see the subnet range and know what's in there. If this is a WebApp that is integrated with a VNet via point-to-site VPN, then maybe this is something from the VNet Gateway, like Keep Alives. That might be apparent in a network trace. Blocking that IP could result in some other service marking the WebApp as unhealthy and not routing traffic to it.
Lots of conjecture here, but like Rudy said, you're not getting an external DDOS attack from a private IP.
Is there a way that we can route outbound traffic going out from an ILB ASE to an static internal IP?
I understand that App Service Plans get assigned an IP dynamically from the subnet the ASE belongs to, but we have a need to make sure traffic comes to our on-premise data center from a static IP.
As for as I know, apps running in an App Service environment get static, dedicated IP addresses both for inbound and outbound connections. See here. As you said, we can't beforehand which IP address will be assigned app instance to make the outbound connection if there are scaled-out instances. Even now I could not find any official doc to define this. It's welcome to give feedback here.
Besides, if you want to route your ASE outbound traffic somewhere instead of directly routing to the internet, you can configure your App Service Environment with forced tunneling from this doc.
App Service IP Restriction for Application Gateway with WAF
I want to setup Application Gateway WAF in front of multi-tenant (non-ASE) App Service Web Apps.
I know this is possible now, according to official document.
For security, inbound traffic to Web Apps should be restricted to only allow requests for connection the application gateway Public IP. But I couldn't find the way to do it.
Idea 1. Using VNet integration:
It's not possible to using "App Service Vnet Integration" cause it's not possible to specify App gateway's VNet.
Moreover, in my understanding, VNet integration can't restrict inbound traffic.
Idea 2. Using IP Restriction config of App Service:
Application Gateway's Public IP Address can be configured as Dynamic one, Static IP Address can't be chosen.
So, I think it's not possible to specify Application Gateway's Public IP Address to IP Restriction config of App Service, cause configured IP is static but actual IP can be changed.
Any good idea?
The Application gateway IP address can change if the gateway is stopped and started by the customer.
So if you have not stop and start the application gateway, the IP address will not change.
I have an Internal application gateway configured in Azure. There is one virtual machine in the back end pool of application gateway which hosts the application. That is accessible via Intranet only.
I want the IP address of my internal application gateway to be associated to a domain name for my website?? How can i achieve this?
If you want to use a domain name, that means the application gateway needs to have a public IP address. In the gateway settings in the Azure portal, you can add a public IP address to the frontend configuration.
Looks like you already managed to put the backend of the gateway on the virtual network, that's good.
Next, you want to create a listener on the ports you need, for example 80 or 443. This is also done on the gateway configuration in the portal.
Finally, to use a domain name, you need to take the public IP address and put it in an A-record for the domain name. This would probably be in a config page with your service provider.