Is there any way to secure an HTTP endpoint of an Azure Logic App ?
For example if I'm using my Logic App's HTTP request endpoint to be triggered as a webhook from a payment gateway, I'd want to restrict only certain static IP Addresses to access it and enable HTTPS.
I didn't find any firewall options like those present in Azure SQL for IP base restrictions.
You can put the manual trigger endpoint behind Azure API Management, using its "Restrict caller IPs" policy should help you accomplish what you need.
See https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
Restrict incoming IP addresses
In addition to the Shared Access Signature, you may wish to restrict calling a logic app only from specific clients. For example, if you manage your endpoint through Azure API Management, you can restrict the logic app to only accept the request when the request comes from the API Management instance IP address.
This setting can be configured within the logic app settings:
In the Azure portal, open the logic app you want to add IP address restrictions
Click the Access control configuration menu item under Settings
Specify the list of IP address ranges to be accepted by the trigger
A valid IP range takes the format 192.168.1.1/255. If you want the logic app to only fire as a nested logic app, select the Only other logic apps option. This option writes an empty array to the resource, meaning only calls from the service itself (parent logic apps) fire successfully.
I could be wrong but all App Services (Web Apps, Logic Apps, API Apps) are, by default, publically accessible and, by default, do not enable IP Filtering via Azure resource configuration (meaning, a setting on the Logic App). Options I can think of enabling this would be:
If you have access to a Web.config, use an element to restrict traffic to only a specific set of address (see MSDN)
Consider putting the Logic App behind an API Management resource and enforce a IP restriction policy (see Azure API Management Documentation); I'm guessing this may not apply for Logic Apps but including it anyway
Scale to a Premium App Service Plan, deploy Logic App to an App Service Environment which gives you the ability to specify whether there is a Public IP (VIP) used for load balancing requests or internal load balancer (which would be used for cross-premise connectivity between your LAN and Azure); you can also deploy a virtual Web Application Firewall (WAF) which would allow you to place explicit IP filters as well
Not knowing your requirements, I'd lean more towards option 3 simply because there is documentation supporting that scenario (at least for Web, Mobile and API Apps -- Logic Apps are not mentioned). Otherwise, if you're not able to modify the web.config to include the filters and cannot put an API Management instance in front of the logic app, I'm not sure what other options you may have.
Hope this helps and if you find a solution, I'd be interested in learning it as well.
Related
Is it possible to include a separate Azure App Service as part of another App Service?
For example lets say that I have a website called www.mycompany.com hosted in its own Azure App Service. I have another Azure App Service that I want to make it accessible by going to a specific URL in the first App Service.
So in other words when a request comes to www.mycompany.com/eu/ I want the content of this endpoint (/eu) to be served from the other app service. Would a load balancer work? The reason I want to do this is because the /eu endpoint has grown too big and I would like to separate that from the main site and host it on a separate app service. I hope my question is clear.
Thanks in advance.
For this purpose you could use Application Gateway.
In a certain sense it resembles a load balancer (it is a L7 LB indeed) as you indicated, but the product provides many additional features.
The following image, extracted from the product documentation, explains how it works:
Basically, as outlined in the aforementioned docs, when describing how an Application Gateway accepts a request (note they mention WAF in the explanation, an optional security threat prevention system):
Before a client sends a request to an application gateway, it
resolves the domain name of the application gateway by using a Domain
Name System (DNS) server. Azure controls the DNS entry because all
application gateways are in the azure.com domain.
The Azure DNS returns the IP address to the client, which is the
frontend IP address of the application gateway.
The application gateway accepts incoming traffic on one or more
listeners. A listener is a logical entity that checks for
connection requests. It's configured with a frontend IP address,
protocol, and port number for connections from clients to the
application gateway.
If a web application firewall (WAF) is in use, the application
gateway checks the request headers and the body, if present,
against WAF rules. This action determines if the request is valid
request or a security threat. If the request is valid, it's routed
to the backend. If the request isn't valid and WAF is in Prevention
mode, it's blocked as a security threat. If it's in Detection mode,
the request is evaluated and logged, but still forwarded to the
backend server.
The routing to one backend or another can be based on URL Paths:
You can find an example of this configuration in this related Microsoft article.
In your use case, you will need to define two backends, one for every App Service, and define routing rules as appropriate.
As indicated before, your DNS should point to the Application Gateway: it will handle the routing to one or other App Service based on the route, /eu/* or /*, provided by the client.
The order of the routes is important: once a rule is matched, it will be the one processed.
Application Gateway is a regional service: Azure Front Door leverages a similar functionality (and much more) globally.
Please, consider review the associated costs of these services.
I am answering my own question to hopefully help others in the same situation. This was simply done using a reverse proxy. This article explains everything you need to set it up - https://ruslany.net/2014/05/using-azure-web-site-as-a-reverse-proxy/
I want to limit the access to one of my app services to Azure API Mangement. In order to be independent from a single IP I created the following setting using service-tag-based restriction:
However if I test my API using the Developer Portal I still receive 403 messages.
If I now add a restriction-rule to allow the IP address of the API Management it will work.
The documentation claims that service tags are adding the IP ranges for the provided Azure services to the restrictions. This is exactly what I want to achieve but it does not seem to work.
After I contacted the MS support I know can tell an answer to this.
On central message in the answer was
Unfortunately, there is no tag for all of the API Management outbound IP addresses.
The support highlighted that the documentation for service tags points out that
This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
What this means is that the service tag is only for backend operations. Problem with this is that it doesn't help you at all. I already noticed that after I switched on the service tag rule I could not update an API using the direct OpenAPI endpoint via the portal which is the documented way. This is because the explorative request against the OpenAPI would be performed using the local browser as a XHR-request. This means I would have to add my local IP to the restriction list every time.
The supports suggests to put everything inside a VNET and configure the access using this technique. I had this solution in place and then considered it as too clumpsy. I guess I have to do it now.
I have an Azure Static Web App developed using Angular (let's say my company homepage) which needs to be publicly accessible w/o authentication. If I wanted some dynamic content on the home page which comes from a database (i.e. news items or a product list), are there any ways to "secure" an Azure Function endpoint that supplies this data to the front end.
"secure" == I'd like to limit access of the endpoint to just my Azure Static Web App.
I'd also like to set up a function that listens for IPN requests from PayPal and so I'd like to configure that function to only be accessible from PayPal.
I see that I can configure CORS to only allow specific domains access to a function -- is this my best option?
There are two ways to look at it,
(i) Azure has APIM Service which allows to secure certain endpoints and is probably the best way how to handle Azure Functions endpoints for public.
(ii) You can also secure the functions by adding application gateway and whitelist the IP address of the Application gateway in the function or you can build functions inside a vnet using the azure environment service.
You can read more about Securing Azure Functions here
I have Azure app service (Web API) and have restricted access to everyone and allowed access by Ipaddress using access restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions)
I want to allow a particular domain/endpoint access to the API doesn't matter which IP address they are coming from. Is there any way possible to do it.
Unfortunately, It's impossible to whitelist a particular domain/endpoint to the Azure app service using access restrictions as essentially the domain name will be resolved to a real IP address via DNS when the client access the web API in the Azure app service.
Not sure why you want to only allow a particular domain. Perhaps, you just want to map a custom domain to Azure App Service. Then you can access the web API using your multiple custom domain URLs.
Furthermore, optionally, you could apply an Application gateway in front of your web API, then you could access your backend web API using a custom domain URL or Application gateway URL. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example, URI path or host headers. Also, you could whitelist the Application gateway frontends in your app service access restrictions. See Configure App Service with Application Gateway for more details.
I hope it's helpful for you.
I'd like to implement micro service architecture on CF (run.pivotal.io) and have problems with creating my private backend services.
As I see I have to options at deployment: with and without route.
With route my services becomes public which is ok for my public site and my public REST API, but I don't want it for my backend services.
Without route I don't see how should I do service discovery.
What I found already:
Use VCAP_APPLICATION env variable and create my own service discovery (or use something like Eureka) based on that. Does this give me always a valid IP:PORT? No matter what DEA my app is running it is reachable on this IP:PORT by other apps on other DEAs?
Register my backend app as a service and bind it, than use VCAP_SERVICES. I'd like to do this but only found documentation about registering services outside CF. Is there a simple way to bind my own app as a service?
So what would be really nice is to be able to mark an app as private but still assign a host and domain to it, so (only) my other apps could call it though CF load balancers but it would be protected from the public.
Answers inline...
As I see I have to options at deployment: with and without route.
This depends on the Cloud Foundry installation and how it's configured. On PWS, you cannot talk directly between application instances. It's a security restriction. You have to go through the router.
With route my services becomes public which is ok for my public site and my public REST API, but I don't want it for my backend services.
The best you can do here is to add application level (or container level, if you prefer) security to prevent unauthorized access.
If you don't want to do password based authentication, you could do IP based filtering. On PWS, we just added a service with Statica. You can use that to send your outbound traffic through a proxy which will assign a static IP to that traffic. You could then restrict access to your app to only the Statica IPs.
Without route I don't see how should I do service discovery.
If you remove the route, you can't sent traffic to the app.
Use VCAP_APPLICATION env variable and create my own service discovery (or use something like Eureka) based on that. Does this give me always a valid IP:PORT? No matter what DEA my app is running it is reachable on this IP:PORT by other apps on other DEAs?
You'd probably need to use this enhancement. It was added to support this type of deployment. However this will only work on Cloud Foundry installation where the networking restrictions between application instances have been relaxed. Normally you cannot talk directly between instances.
Register my backend app as a service and bind it, than use VCAP_SERVICES. I'd like to do this but only found documentation about registering services outside CF. Is there a simple way to bind my own app as a service?
You can create a "user provided" service. Look at the cf cups command. It lets you create a service with an arbitrary set of parameters and data. This could contain the URLs for your services. Once you create the service, you can bind it to any number of apps.