Develop Reference

How to associate a nsg to app service environment to restrict access from internet in Azure

I wanted to restrict access from internet to my app service environment, such that only my front end app service can only access it. Is there a possible way to do it?.
As shown in the above picture I wanted to associate an NSG to tier 2 such that only tier 1 can access tier 2. Nobody else can access it. Is there a solution to this problem?

Developers can use IP and Domain Restrictions to control the set of IP addresses, and address ranges, that are either allowed or denied access to their websites. With Windows Azure Web Sites developers can enable/disable the feature, as well as customize its behavior, using web.config files located in their website
<system.webServer>
<security>
<ipSecurity>
<add ipAddress="x.x.x.x" allowed="false" />
</ipSecurity>
</security>
</system.webServer>
https://azure.microsoft.com/en-us/blog/confirming-dynamic-ip-address-restrictions-in-windows-azure-web-sites/
If a request is made to a website from an address outside of the allowed IP address range, then an HTTP 404 not found error is returned as defined in the denyAction attribute.
https://learn.microsoft.com/en-us/azure/app-service/environment/network-info
https://learn.microsoft.com/en-us/azure/app-service/environment/forced-tunnel-support

Whitelist inbound IP address for Azure WebApp?

I would like to restrict access to some Web Apps I am developing on Azure through a whitelist of allowed in-bound IP addresses. I have achieved this using Network Security Group, applied to a VM. I can also see how I can achieve this using a App Service Environment, but this is very costly. Is there any way of applying a Network Security Group to a Web App? Or can I add a Network Security Group to a Virtual Network? Or is there another method that I'm overlooking?
Thanks!

You can restrict IP addresses in the web.config using the ipSecurity element like so:
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="XXX.XXX.XXX.XXX" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
Full documentation on the ipSecurity element: https://www.iis.net/configreference/system.webserver/security/ipsecurity
Azure Web App support for the feature:
https://azure.microsoft.com/en-us/blog/ip-and-domain-restrictions-for-windows-azure-web-sites/

restrict azure appservice / website to a domain

I have a WCF service running on a azure app service. I want to restrict this WCF to a few azure website, external IPs and some other deployments.
I am using IPSecurity tag for that in my WCF web.config
My issue is the IP restrictions work, but the azure website domains that i allow access to, dont seem to work.
for exmaple, i have an azure website with a custom domain, abcdef.info. i am trying to give this domain access to wcf, but it doesnt seem to be working.
below is my configuration.
<ipSecurity enableReverseDns="true" allowUnlisted="false">
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="xx.xx.xx.xx" allowed="true" /> (IP of azure website i got after nslookup)
<add domainName="azurewebsitedomain.azurewebsites.net" allowed="true" />
<add domainName="abcdef.info" allowed="true" /> (custom domain tied to my azure website)
</ipSecurity>
i was assuming that one of the last 3 settings here will whitelist my wcf client running to azure website to access WCF but so far nothing.
Will appreciate any help. Thanks.

Azure Web App infrastructure uses different IP's for inbound and outbound communications. You have whitelisted the inbound IP address. Also, Whitelisting the domain name may not work either.
Azure Web Apps use a set of 4 outbound IP's for Outbound communication. This can be retrieved from portal:
Select the web app
Click on Properties
Copy the OUTBOUND IP ADDRESSES
Whitelist these 4 IP Addresses the way you did earlier and then you could test by issuing a CURL request from the KUDU console (SCM) of the source app.
curl -i https://destinationsitename.azurewebsites.net

Azure Traffic Manager Configuration

I have two web apps deployed on cloud services in two regions.
WebApp1.cloudapp.net
WebApp2.cloudapp.net
I created Azure Traffic Manager with Performance Load Balancing
WebApp.trafficmanager.net
What is CName for my cloud app and how can I configure this CName point to Azure Traffic Manager?

The CNAME for your app is WebApp.trafficmanager.net. You will need to register a custom domain from one of the DNS providers -- once done use the tools they provide to add a CNAME record for "www" to your domain and point it at your Traffic Manager.
At the moment Azure Traffic Manager does not support apex (naked) domains. So this solution would cover www.yourdomain.com, but not simply yourdomain.com.
Some DNS providers support forwarding where you can specify yourdomain.com should redirect to www.yourdomain.com.
If this is not the case, you can enable forwarding in your Azure Web App by adding this to your web.config:
<system.webServer>
<rewrite>
<rules>
<rule name="Apex Redirection" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^(www\.)(.*)$" />
</conditions>
<action type="Redirect" url="http://{C:2}{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
Then you would pick either of your cloud service regions and grab the "A" record from the Azure management console for your DNS record. Anyone who goes to yourdomain.com would go to that region's app and get redirected to your Traffic Manager at www.yourdomain.com.

You would register a custom domain name with the registrar of your choice (ie. GoDaddy, Network Solutions, etc). Once you have this domain name you would then configure it on the registrar's site to have a CNAME entry pointing to the trafficmanager.net address. So it would look like:
www.webapp.com IN CNAME webapp.trafficmanager.net

Azure - Using a subdomain per web role in the same cloud service

I have created a Cloud service with 2 web roles (one is the "public" site, and the other is the "admin backend").
I deployed the solution in azure, and the cloud service with the web roles were created. I can access both sites using:
FrontEnd
http://my-app.cloudapp.net:80/
BackEnd
http://my-app.cloudapp.net:8080/
Here is the problem: I would like to access the backend as a subdomain of the main site. I tried to update the DNS (GoDaddy) playing with the CNAME, but I have not been able to find a solution since it seems that I cannot use port numbers. One solution could be to create 2 Cloud Services, each one with just one web role (of course, both using port 80); but due to business requirements it's not a good idea. Any ideas?
FWIW, this is what I would like:
FrontEnd
http://my-app.com
BackEnd
http://dashboard.my-app.com

You should be able to add two CNAMES or A-records with your hostnames, pointing to the same site/port. You can then use URL rewriting to map the hostnames to different directories, something like (the untested);
<rewrite>
<rules>
<rule name="Dashboard rewrite" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^dashboard\.my-app\.com$" />
</conditions>
<action type="Rewrite" url="http://my-app.com/dashboard/{R:0}" />
</rule>
</rules>
</rewrite>
This will/should rewrite the access to http://dashboard.my-app.com/test.aspx to http://my-app.com/dashboard/test.aspx, giving the impression to the browser of being two separate applications.

With DNS CNAME you can only point from one hostname to another. Port numbers are a totally different item.
You can install an HTTP reverse proxy server to forward the requests to the proper cloud service. (e.g. HAProxy, nginx, IIS ARR etc.). There are some solutions in this SO question: How do I create a reverse proxy that runs in Azure?