I understand that Web Apps are restricted to ports 80/443 for inbound requests, however what about outbound? For example if I were to deploy an application that made a call to some third part service on a random port, e.g. 8085, would it be allowed? If so, is there a way to restrict the ip addresses and/or ports that outbound requests can be made on?
Mark
On Azure Web Apps, the restriction is only for inbound requests. There is no restriction on Outbound IP addresses and ports.
Out of the box, Azure Web Apps will only allow you to put restrictions on incoming requests using DIPR http://azure.microsoft.com/blog/2013/12/09/ip-and-domain-restrictions-for-windows-azure-web-sites/. There is no mechanism to restrict Outbound.
Related
How are two appservices in the same appservice plan uniquely identified though I understand they have different urls but it is explained that at the backend this urls are converted into IP addresses however the appservices have the same Outbound IP addresses
URLs are not converted into IP addresses on the backend side, domain names like myapp.azurewebsites.net are resolved to IP addresses by DNS servers - and afterwards the client sends an HTTP request to the derived IP address which belongs to a server on Azure side. Indeed this means that the Azure backend wouldn't be able to assign a request to the right app service so there is another property necessary for this matching - which is the HTTP Host header. This header is used by an internal load balancer (called a "front end" on Azure side) which distributes the request to the worker(s) your application is running on.
Yes the inbound and outbound IP addresses has little to do with the selection of app services running on ASP's, the outbound IP can even be totally different than the ASP addresses if you are using a NAT GateWay or other services.
If you want a more specific answer please ask a more specific question as in what problem are you trying to resolve?
What can I do to fix this Advisory message?
The VM this relates to is a webserver, which sits behind an Azure LoadBalancer. The NSG rule that is causing this (only 1 'not default rule' ) is:
Type: Allow
Source: Service Tag - Internet, source port range = *
Destination: ASG for this VM, destination port 80,443, protocol tcp
If I remove this rule, the message disappears (after some hours) but than the internet web traffic can not reach the VM anymore.
Should I ignore the Azure Advisory message? Or am I overlooking something? I was looking forward to getting this nice and tidy, AND have a 'satisfied' advisory state.
You can run your webserver on the VMs on different ports than 80 and 443. The load balancer can translate between port 80/443 on your public IP and whatever port you choose inside the VMs. Since Load Balancers are a fairly simple service, this is probably your only option.
As an alternative, you could try Application Gateway instead of your load balancer. It should act as the reverse proxy you need. Be aware that it is a bit more costly than the load balancer, but it also has a lot more features.
I see that your VM is behind an Azure LoadBalancer. So, the network flow might be similar to :
Then, your web server should not be public to the internet. It should only be accessible from the loadbalancer. You can set the source service tag to AzureLoadBalancer. For more information about service tags, you may check the official documentation: Service tags
Update:
By further researching, the AzureLoadBalancer service tag in NSG rule is used to allow Azure health probes. Actually, there is a default rule for allowing load balancer to probe to endpoints.
So, the suggestions are:
You should not assign public IPs to each instances. In this way, your backends can only be accessed by private IPs. In other words, clients can only access your web via load banlacer.
Add NSG inbound rules with 80 and 443 ports for web service. And 22 or 3389 port for remote management.
In this case, your servers should be secure now. If there are still any warnings, I think you may ignore them. The Azure system may just see that you opened 80 and 443 ports to public. However, your instances do not have public IP.
Hope the above would be helpful to you.
I have created an App Service Environment and have multiple web app and web API associated with it. I want to achieve an arrangement where only my App service has access to the API, so trying to block traffic to the API using IP Restriction. But all the Web Apps as well as the web API has the same VIP and i cant find any other IP address associated with it.
Also to attach the NSG to the subnet(in which ASE is there), we need to add rules which again need specific IP. How can I achieve this?
I assume you have provisioned external ASE.
"App Service has the ability to allocate a dedicated IP address to an app. This capability is available after you configure an IP-based SSL"
So, you can limit the access to some of your apps inside the ASE by using App-assigned IP-based SSL addresses (Only possible with an External ASE and when IP-based SSL is configured).
When you provision your ASE, you can select how many external IP addresses the system should have including those for IP-based SSL purposes.
please see: https://learn.microsoft.com/en-us/azure/app-service/environment/using-an-ase#ip-addresses and slide nr.14 here https://8gportalvhdsf9v440s15hrt.blob.core.windows.net/ignite2017/session-presentations/BRK3204.PPTX
I have a website on Azure App service and I've asked a service provider to open up for my outbound IP addresses. How can I make sure that those IPs won't change?
If there is a new IP assigned to my app service, all calls from that IP will be blocked by the service provider.
The outbound IP addresses are per stamp/scale unit that the apps are on. It is not specific to a certain webspace or resource group.
You can find the stamp/scale unit in the Properties blade under the FTP Hostname endpoint. It should list out something like "waws-prod--". All of the apps in the same stamp/scale unit number in that region will have the same outbound IP addresses, as they are per stamp/scale unit.
The list of outbound IP addresses is not completely static but normally it does not change. Check out the reasons for the IP change in the thread outlined by Ruslan.
If you need both incoming and outgoing to be static, you will need an App Service Environment. This will give you dedicated IP addresses.
For more information see: https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-intro and https://msdn.microsoft.com/en-us/magazine/mt793270.aspx.
I have web api and SQL Server VM. I would like to configure inbound of virtual network so that TCP port 80 traffic is allowed only from Web API, but how?
Is it really so must to add (automatically) 50+ IP address to Inbound rules of Network security group to allow Any access to 1433?