Today I was doing some experiments with the new Traffic Manager (new azure portal). I configured a new Azure Traffic Manager and added an Azure Website endpoint. But the Traffic Manager endpoint status says Status of the endpoint as "Stopped" where the Web app is up and running. Also the Azure Traffic Manager Monitoring status is Inactive. I am confused. I did this few times and still getting the same result.
Am I missing something?
Traffic Manager is only eligible for use with App Services (formerly known as Azure Websites and Azure Mobile Services) at the 'Standard' level or above. If you downgrade your App Service to the Free or Basic tiers, it shows as 'stopped' in Traffic Manager (this is somewhat misleading and we are working to improve the experience).
Mentioned here.
Related
Earlier we had Windows App Service Plan and App services within the plan have VNet-integration enabled to connect to on-premises services. It used to reach on-premises services from the app service by resolving the domain names.
Recently Microsoft announced that regional VNet-integration for Linux App Services feature is Generally Available. we tried to migrate all our windows app services to Linux. Fortunately, we did not face any issues with subnet-delegation. But after the migration, the Linux app services are not able to reach on-premises service. It says UnknownHostException from the java code and tried from Kudo console, there also it says domain name is not being resolved. and we noticed that logs are not being pushed to Application Insights.
The next day, we just tried with IP address instead of domain names, it worked. For Application Insights, we could not do anything. To just confirm for Application Insights, we disconnected the vnet-integration for app service, then the app is able to send logs to application insights.
So what would be the problem?
You cannot create a Linux Web App in an App Service plan already hosting non-Linux Web Apps. I suppose you have created new app service plan and app service for Linux to manage regional VNet Integration.
Your app cannot resolve addresses in Azure DNS Private Zones without
configuration changes
The feature is fully supported for both Windows and Linux web apps.
All of the behaviors act the same between Windows apps and Linux apps.
Also, from https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
In the scenario of name resolution from App Service Web Apps in one virtual network to VMs in a different virtual network, it requires customer-managed DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). See Name resolution using your own DNS server.
By default, app service use the Azure providing DNS server in the delegated VNet, it don't know your on-premise DNS records. You need to deploy a custom DNS server in your Azure virtual network and target network to forward the DNS query.
For Application Insights, you could check if you have a rule blocking the outbound call to application insights if you have set the app setting WEBSITE_VNET_ROUTE_ALL to 1. Refer to this.
If you integrate your app with your VNet, the default behavior remains
as it was. You would only be able to reach RFC1918 addresses
(10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and service endpoints.
Just like with Windows, the feature now supports outbound calls into
the VNet on non-RFC1918 addresses as well. To reach all addresses you
need to set the app setting WEBSITE_VNET_ROUTE_ALL to 1, your app will
then enable all of the outbound traffic from your app to be subject to
NSGs and UDRs.
Finally, all of a sudden it got resolved by itself. And when we asked Microsoft Support, its mentioned that they have done recent network update in their backbone network.
Since we did not know what was the issue, we did not migrate Win to Linux in our higher env, we rollback to Windows and there was no issue after that.
I have an Azure Web App and an Azure SQL Server, both in the same subscription. Both of them are connected to the same VNet Subnet as shown in the below snapshots. The SQL Server is configured not to Allow Azure Resources and Services to access the server, as it should only permit access from either the connected subnet or a set of IP rules.
Unfortunately, the SQL Server is actively refusing any connection from the web app stating that the web app IP is not allowed to access the server.
The interesting thing is that I have the exact same configuration working on another subscription.
What could I be missing?
Snapshots:
1- Here you can see the web application connected to the "webapps" subnet
2- And here you can see the SQL Server connected to the same subnet
3- And that's the error I get
TLDR
The configuration is correct, but an app service restart may be required.
VNET Integration
The configuration of using a virtual network to connect a web app to a SQL database is correct: if the web app is connected to the same subnet/vnet which is allowed in the database's ACLs, and the Microsoft.Sql service endpoint is enabled on the subnet, the web app is able to communicate to the database. This is the whole reason for service endpoints: you do not need to configure with IP allowances on the database.
As to why the configuration still resulted in an error, it could be the order in which the resources were configured. We were experiencing the exact same setup and issue (which is what let me to this question)!
We connected our web app to the subnet/vnet but had not enabled the service endpoint on the subnet. We then added/allowed the subnet/vnet as an ACL in the database, during which we were prompted to enable the Microsoft.Sql service endpoint (we did). However, even after waiting ~20 minutes, we were still seeing the same connection issue.
However, once we restarted the app service, the issue went away and the web app could connect to the SQL database.
I suspect the issue is due to enabling the subnet's service endpoint after the app service was connected to the subnet. The app service must need a restart to refresh the app service's vnet config/routing.
Configuration NOT needed
Contrary to other answers, you do not need to configure firewall IP allowances nor enable access to Azure services and resources. In fact, there are downsides to both approaches:
Enabling access to Azure services and resources allows any Azure-based resource to connect to your database, which includes resources not owned by you. From doc:
This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers.
Unless you're using an App Service Environment (which is significantly more expensive than normal App Service plans), your web app's outbound IP addresses are neither static nor specific to your application. From doc:
Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.
The second point is further elaborated upon in this Github issue:
IPs are indeed shared with other App Service plans (including other customer's plans) that are deployed into the same shared webspace. The network resources are shared among the plans in a workspace even if the computing instances are dedicated (e.g. in Standard tier). This is inherent to the App Service multi-tenant model. The only way to have a dedicated webspace (i.e. outbound IPs) is to deploy an App Service plan into an App Service Environment (ASE) (i.e. Isolated tier). ASE is the only thing that offers true single-tenency in App Service.
So neither of the above options will truly harden your SQL database if you want to isolate communication from only your web app. If you have resources in the same subnet, using vnet integration is the correct way to solve the problem.
If resources cannot be in the same subnet, the solution is to use Private Endpoints.
Virtual networking in Azure is quite different from how it would work on premises.
I had similar problems in production environment and digging deep, the working solution (meeting security standards and create a secure connection to the database) was to create a private endpoint for SQL access in the virtual network. Then all the calls to the SQL were performed internally (it did not go on the internet), and the databases were denying all public calls.
In your case now, you deactivated the Allow Azure apps to access so when your app is trying to access the SQL the server checks the ip to find out if it is white listed or not. So fast solutions would be one of the following:
Enable Azure Web apps to access SQL
Find all outbound IPs of your web app and register them in you SQL firewall/ security settings.
If you talk about a proper production environment with security regulations I would suggest you go down the more tedious path of private endpoints.
You have to configure the outbound IPs from the app service in the sql fw.
You can find them under properties of your app service. Documentation.
The reason why is that the VNET integration doesn't give your app service an outbound IP in the VNET you configured it in, so the FW you configured doesn't work.
I have working web apps which access storage accounts and KVs. These storage accounts and KVs accept traffic from a particular subnet and the web apps have been configured to integrate with those subnets. I did face an issue where even after integration apps were not able to access these resources. What worked for me was, I changed the App service SKU from Standard to Premium and restarted the app. As you can see, it warns that "Outgoing IPs of your app might change". This is not guaranteed solution but it worked for me.. several times! Not sure about SQL server though. Private endpoint does seem like the way to go but you can give this a try.
I was doing some experiments with the Traffic Manager (new azure portal). I configured a new Azure Traffic Manager and added two Azure WebApp endpoints.
But when trying to browse Traffic Manager endpoint I am getting
This site can’t be reached, niktm.trafficmanager.net’s server DNS address could not be found.
The Status' of the TM endpoint are "Enabled" and both the Web apps are up and running. Also, the Azure Traffic Manager Monitoring status is Online.
I did this few times and still getting the same result. Am I missing something?
Another reason why Azure Traffic Manager could not working with Azure App Service (Web App) is because you are using Basic service-tier, which doesn't support Traffic Manager feature. As a result, a Traffic Manger Profile has the Inactive status and Stopped for Endpoint monitor status.
This site can’t be reached, niktm.trafficmanager.net’s server DNS address could not be found.
If I do not add any endpoints in my traffic manager, Monitor status is Inactive.
To verify DNS propagation using http://digwebinterface.com/, I could find similar result as yours niktm.trafficmanager.net.
And if I browse to {my traffic manager name}.trafficmanager.net, I could see same error message in browser.
If I add available endpoints for traffic manager, I will see Dig result like below, and I could browse to {my traffic manager name}.trafficmanager.net.
I suspect that your endpoints do not really add to traffic manager even though Azure portal shows they are enabled and online. You could try to create a new traffic manager and add endpoints to check if it will work fine, if Azure traffic manager still/always not work fine in your subscription, you may need to create a support ticket to fix this issue.
I have an azure mobile service that is running on top of SQLAzure DB. The Database is geo-replicated. I am looking to setup a failover for mobile service in case if the primary endpoint goes down. I have looked into traffic manager but it does not support mobile service endpoints also setting up another mobile service that talks to the replicated DB not possible as the replicated copy is read-only.
What are the possibilities of setting up a failover for mobile services endpoints.
There are several mechanisms for hosting mobile APIs on Azure - Azure Mobile Services is tied to a single region, so you can't fail that over. Azure Mobile Apps is the next generation of Azure Mobile Services and is built on top of Azure App Service Web Apps - it's an extension of the work there. As a result, you can leverage all the cool features of Azure App Service for your mobile service. If you haven't taken a look yet, then take a look at migrating your service to Azure App Service Web Apps.
Once there, Traffic Manager is definitely what you want. You can read about the process of using Traffic Manager with an Azure web app here: http://blogs.msdn.com/b/benjaminperkins/archive/2014/06/02/using-traffic-manager-with-microsoft-azure-web-site.aspx
I am using Azure Mobile Services for a production mobile application. I am looking into failover configuration in Azure portal and can't find anything about it.
There is the "Traffic Manager" as described in the Azure documentation. But in my understanding it only deals with VMs and Networking, not the Mobile Services.
My guess is: failover management is included in the mobile services by design. In other word, if one MS azure server crashes, my mobile service URL will be rerouted on another server automagically.
Am I right?
Availability SLAs are only guaranteed on the Standard and Premium tiers, see Support and SLA in: http://www.windowsazure.com/en-us/pricing/details/mobile-services/
An Azure Mobile Services is tied to a single Azure region. So if your Azure region fails, you need to manually migrate to another Azure region. Details can be found in Recover your mobile service in the event of a disaster.