As far as I know it is - unfortunately - not possible to restrict an Azure website to available to Azure-internal services only, since Websitess do not support virtual networks - currently.
Is this still correct?
If yes... I'm thinking of creating an Azure worker role instead to host my services. Is it possible to make the service only available to the websites from my subscription?
Thank you in advance
best
laurin
Laurin - you are correct - while Websites can utilise Hybrid Connections to connect back to services on-premises they aren't actually able to connect (and be restricted to) internal Azure services.
If you use a Web Role you will need to setup a Virtual Network with an appropriate private IP address range and then ensure you add your Web Role to this Virtual Network. This is done by editing the service configuration of your Cloud Service deployment in Visual Studio and making it similar to the below:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration ...>
<Role name="WebRole1">
...
</Role>
<NetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="YourDns" IPAddress="10.4.3.1" />
</DnsServers>
</Dns>
<VirtualNetworkSite name="YourVirtualNetwork" />
<AddressAssignments>
<InstanceAddress roleName="WebRole1">
<Subnets>
<Subnet name="FrontEndSubnet" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>
Related
I would like to use some of the benefits of hosting a web api in Azure, but I want that api to be private (not accessible from the outsite world) as it only be used internally.
I am not sure if that is even possible. I've tried deploying from visual studio but the api is hosted on xyz.azurewebsites.net and is accessible from everywhere.
Thanks in advance.
You could restrict access to the site to a specific ip address or range of addresses through the web.config. Add a section to system.webServer:
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="123.456.0.0" subnetMask="255.255.0.0"/>
</ipSecurity>
</security>
</system.webServer>
More info here: IP and Domain Restrictions for Windows Azure Web Sites
In addition to levelnis's suggestion about static ip security restricting access, there is the option of using an App Service Environment.
https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
App Service Environments are ideal for application workloads
requiring:
Very high scale
Isolation and secure network access
An ASE is always placed in a virtual network's subnet, so you can use NSGs to control access. ASEs are a Premium service though so can be quite expensive.
I have a cloud service that opens a socket externally and requires a whitelisted IP address. Nothing will externally initiate a connection with my service.
When I attempt to publish it with an associated ReservedIP address I get the following error: Validation Errors: Error validating the .cscfg file against the .csdef file. Severity:Error, message:ReservedIP 'xxxx' was not mapped to an endpoint. The service definition must contain atleast one endpoint that maps to the ReservedIP..
.cscfg
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="Gateway" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="5" osVersion="*" schemaVersion="2015-04.2.6">
<Role name="WorkerRole1">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="yyyyy" />
<Setting name="APPINSIGHTS_INSTRUMENTATIONKEY" value="xxx" />
<Setting name="ASPNETCORE_ENVIRONMENT" value="dev" />
</ConfigurationSettings>
</Role>
<NetworkConfiguration>
<AddressAssignments>
<ReservedIPs>
<ReservedIP name="xxxxx"/>
</ReservedIPs>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>
Is there a way to deploy this without specifying an endpoint? (I'm using VS2017RC to deploy)
If not, what would the xml look like for a dummy 'endpoint' and what risks do I run doing that?
Is there a better way I should be approaching this?
I ran into the same issue and the working solution for me was to take the "Input endpoint" from here and place it in .csdef file within the WorkerRole tag.
<Endpoints>
<InputEndpoint name="StandardWeb" protocol="http" port="80" localPort="80" />
</Endpoints>
Looks like ReservedIP is only supported with services containing an external endpoint. What you can do is add an external endpoint but firewall it off with the NSG (Network Security Group).
On help defining an endpoint see
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-enable-communication-role-instances
Also, if you use a port that is actually not bound to in the machine, it should not be a vulnerability; but adding a deny rule in NSG would cover for any change in future as well.
[Aside] If your service does not have any incoming connections, you should consider using a worker role instead of a web role. Long running threads can get terminated in web role instances.
I'm trying to understand what are firewall rules for Azure cloud services (Web/Worker roles) by default, and I'm confused.
Based on multiple source, including this link http://download.microsoft.com/download/C/A/3/CA3FC5C0-ECE0-4F87-BF4B-D74064A00846/AzureNetworkSecurity_v3_Feb2015.pdf, inbound connections are blocked by default for cloud services, be it worker role or web role. To open inbound connection I would need to specify parameters for EndPoints elements in .cscfg.
However, I never did this, but my web roles and worker roles accept inboud connection, even UDP connection to worker role.
What am I missing?
Update: I apologize, I was looking at wrong file. For reasons I cannot explain I mixed .csdef and .cscfg. Now it looks like stupid question :)
You're correct - web and worker roles require endpoints to be defined, to allow external traffic to pass through to your role instances.
Regarding the fact you can currently access your existing web/worker instances: By default, an endpoint for port 80 is created for your web role, and if you enabled RDP, that is enabled as well.
Just be aware that there are port mappings that occur: That is, you specify the external port (maybe... port 8000), which then maps to your actual port where your code is listening (maybe... port 80).
And also be aware that, if you use one of those ports for one role, you must come up with a different port for a different role. All instances of a given role may consume the same port, in a load-balanced fashion. But... if you set up a web server using, say, port 8000 externally on your web role, and you define another web role (or maybe a worker role), you cannot use port 8000 for that role.
Role endpoints are exposed in the cloud service project, within Visual Studio, in case you don't want to edit the configuration file directly.
David has most of the answer covered, for the detailed WHY it works:
https://azure.microsoft.com/nl-nl/documentation/articles/cloud-services-role-enable-remote-desktop/
Take a look at the csdef file, there is an imports section in there
<Imports>
<Import moduleName="<import-module>"/>
</Imports>
The module for RDP is "RemoteAccess" and there will be a "RemoteAccessForwarder", all plugins/modules are in the Azure SDK in this directory (replace v2.9 with your azure SDK version)
C:\Program Files\Microsoft SDKs\Azure\.NET SDK\v2.9\bin\plugins
Importing this module results in the following config being added to the csdef file at runtime:
<?xml version="1.0" ?>
<RoleModule
xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition"
namespace="Microsoft.WindowsAzure.Plugins.RemoteAccess">
<Startup priority="-1">
<Task commandLine="RemoteAccessAgent.exe" executionContext="elevated" taskType="background" />
<Task commandLine="RemoteAccessAgent.exe /blockStartup" executionContext="elevated" taskType="simple" />
</Startup>
<ConfigurationSettings>
<Setting name="Enabled" />
<Setting name="AccountUsername" />
<Setting name="AccountEncryptedPassword" />
<Setting name="AccountExpiration" />
</ConfigurationSettings>
<Endpoints>
<InternalEndpoint name="Rdp" protocol="tcp" port="3389" />
</Endpoints>
<Certificates>
<Certificate name="PasswordEncryption" storeLocation="LocalMachine" storeName="My" permissionLevel="elevated" />
</Certificates>
</RoleModule>
This will open port 3389 for the RDP connection, so the Endpoint is in the .csdef file, but through an import.
Also take a look at the "RemoteForwarder", it acts as the gateway, so only 1 port (3389) has to be opened on the outside, and only 1 instance will listen to this. The RemoteForwarder will then forward the RDP connection to the right machine. More info:
https://blogs.msdn.microsoft.com/avkashchauhan/2011/12/06/how-does-remote-desktop-works-in-windows-azure/
I have an Azure cloud service hosted at example.cloudapp.net and within the portal I have configured two virtual networks one that is linked to a disaster recovery site and one that is linked to the main site.
I was successfully able to deploy the cloud service to within the virtual network by using the following configuration in the ServiceConfiguration.Cloud.cscfg:
<NetworkConfiguration>
<VirtualNetworkSite name="VNET1" />
<AddressAssignments>
<InstanceAddress roleName="mybudget">
<Subnets>
<Subnet name="CloudService" />
</Subnets>
</InstanceAddress>
<ReservedIPs>
<ReservedIP name="mycloudservice" />
</ReservedIPs>
</AddressAssignments>
I want to deploy the Cloud Service not only to VNET1 but also to VNET2, is there any way of deploying to additional VNETs at the same time? The subnets are named the same although have different values. Any help on this would be greatly appreciated.
No, the same cloud service cannot be deployed to two different VNets. You can create a replica of the cloud service by using the same configuration files but in a new cloud service.
Is it possible to restrict the access to a Azure WebRole to a list of IP ranges.
I saw there are a number of articles explaining how to configure the firewall for accessing an SQL Azure instance but what about the WebRoles / WorkerRoles?
Thank you,
Luc
Since V1.3 of the SDK (and now V1.4), full IIS support and Startup tasks have been available to help solve this issue.
I've blogged about this http://blog.bareweb.eu/2011/04/restricting-access-by-ip-in-azure-web-role-v1-4/
You can use ipSecurity in web.config, but you must also do some work regarding installing the IPSec module into IIS.
Regards
Andy
Since Azure SDK 2.4 there has been a possibility to use Access Control List (ACL) to apply IP restrictions for your cloud services. I wrote a blog post on this: http://www.henrihietala.fi/apply-ip-restrictions-for-azure-cloud-service/
Just add the ACL in your ServiceConfiguration.Cloud.cscfg:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="MyWebRole.Azure" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*" schemaVersion="2014-06.2.4">
<Role name="MyWebRole">
...
</Role>
<NetworkConfiguration>
<AccessControls>
<AccessControl name="ipRestrictions">
<Rule action="permit" description="allowed-edu" order="100" remoteSubnet="137.133.228.111/32" />
<Rule action="permit" description="allowed-test" order="101" remoteSubnet="168.61.66.2/32" />
<Rule action="permit" description="allowed-prod" order="102" remoteSubnet="168.61.66.131/32" />
<Rule action="deny" description="Others" order="800" remoteSubnet="0.0.0.0/0" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="MyWebRole" endPoint="Endpoint1" accessControl="ipRestrictions" />
<EndpointAcl role="MyWebRole" endPoint="HttpsIn" accessControl="ipRestrictions" />
</EndpointAcls>
</NetworkConfiguration>
</ServiceConfiguration>
Be careful with rule attributes. Your deployment will fail if you have specified the same order number or description twice or the IP address in remoteSubnet is incorrect.
I have not personally done this in Azure yet, but have you tried just using the IIS7 IP security feature via the system.webServer/security/ipSecurity configuration element?
Microsoft provides the recipe for doing this in this May 2012 article http://msdn.microsoft.com/en-us/library/windowsazure/jj154098.aspx.
You can restrict a Windows Azure web role access to a set of specified IP addresses by modifying your IIS web.config file and creating a command file which unlocks the ipSecurity section of the ApplicationHost.config file.