I have a WebJob on an Azure Website that needs to connect to a VM Endpoint to make REST calls.
My Endpoint is configured to deny all except my company's IP range. Now what rule would I need to add or url should I use so my webjob can connect to the endpoint?
I have tried the following without success:
Allow my website virtual IP address in the ACL
Connect to the endpoint using the internal IP instead of the DNS without changing
the ACL
Connect to the endpoint using the public virtual IP instead
of the DNS without changing the ACL
This works but is not what I am looking for:
Remove the current ACL and allow all
Keep the ACL but add a /16 rule with my website IP
Thank you for your help, and let me know if you need precision!
I need the same thing but it seems as though is not possible right now. Looking at this answer on a related question:
Azure Web Sites do not have dedicated outbound IP addresses for each
deployment. This precludes you from using ACLs or Virtual Networks to
connect to your Redis / Solr virtual machines.
So even though you can have a (reasonably) fixed incoming IP address on Azure Websites, the outgoing address is highly unpredictable and as far as I can see, the only exclusion that you could make was to restrict it to the entire range of IP addresses for that data centre which is far from ideal.
A solution moving forward will be to connect your Azure Website and the VM on the same Virtual Network. As of my writing this it is still in Preview so it still is not ready for production use just yet.
Here is more information on it: http://azure.microsoft.com/blog/2014/09/15/azure-websites-virtual-network-integration/
Related
I am very new to Cloudflare. So please bear with me. I need to access my website (hosted in Microsoft Azure - App Services) via IP address instead of the domain name.
To do this, I need to add HOST=www.mydomain.com into the HTTP header when requesting the website via IP address.
I heard it can be solved via Cloudflare, but the person I asked will not elaborate further. Is it possible? If yes, what service should I purchase? Any manual or instruction will be appreciated.
If Cloudflare isn't possible, do you have any service recommendations?
Thanks :)
The reason the host header is needed is because Azure App Services are multi-tenant (multiple apps on a single IP) by default. So, the server needs some way to know where to route your request to (the host name). In addition, IPs are not guaranteed to be static (they can change as you scale for instance).
It should be possible to secure a single static IP address using the following method -
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip
What is unclear is whether or not this IP would also be dedicated (meaning only your domain would use it). This is what would be required in order to allow you to access the app service without a hostname specified.
Cloudflare will not solve this issue, as it sits at the DNS layer (domain name access). Accessing a server via IP would bypass Cloudflare entirely.
I have a Website (App Service), 1 Sql Server with 2 databases on it.
Each month I randomly get an error:
Cannot open server 'myServer' requested by the login. Client with IP address 'xx.xxx.87.3' is not allowed to access the server.
To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range.
It may take up to five minutes for this change to take effect.
My question is, how do I know what application/service this IP address is?
It's not the IP address of my website and if I ping the CNAME of my database, it doesnt match this IP. But if I don't add it, my whole site doesn't work.
I must add this manually once per month, when something changes. How do I find out what this IP address is connected to?
Basically, there are 2 ways to solve your issue:
Specify Allow Azure services and resources to access this server as Yes on your SQL server firewall-config so that your SQL server will allow all Azure resources to access.
Adding all of the outbound IPs of your Azure app service into your SQL server firewall whitelist. It has a higher security level than the first way. You can find all the outbound IPs on Azure Portal here:
Hope you are all safe!!!
I have a live project running on Azure Environment.
As part of data checking when i tried to access the Database using the SSMS in my machine, Everytime I need to white list my IP.
Since it is an intranet domain IP changes everyday.
Is there any solution to permanently enable my IP using mac address or something. So that i can jump over this IP Whitelisting.
IP whitelisting (as the name already suggests), does not work on MAC address basis. What you could do as an alternative is to use a Point-to-Site VPN from your machine into an VNET in Azure. Then you should be able to leverage Private Endpoints (aka Private Link) to allow connections to your database from that VNET. https://samcogan.com/service-endpoints-and-private-link-whats-the-difference/
I need to prevent users from accessing the site through the External IP Address on Compute Engine, they should can access site only via domain name (www.some-domain.com), not the IP Address itself.
Let says the instance's IP Address of the Compute Engine is A.A.A.A. I am using Load Balancer to redirect it to secure connection, with these settings:
Frontend
HTTP : B.B.B.B:80
HTTPS : B.B.B.B:443
Backend
Redirected to the active instance
And I pointing the DNS (A) to B.B.B.B.
Now, I am able to access https://www.some-domain.com. But the problem is, I still can access the site with A.A.A.A and B.B.B.B.
This is my current firewall configuration:
How to prevent this? Thanks.
Well, there are a couple of things you can do:
1- Remove External IP from VM instance
2-Create specific firewall rule to only allow access to an specific subnet range
Let me elaborate:
For 1:
Using web console, You only need to edit the VM details, go to network interfaces settings and choose none over External IP drop menu, save the new configuration. All of this can be done without stop the VM instance.
For 2:
Create a couple of firewall rules with the same configuration from default-allow-http and default-allow-https, but at "Filter" you need to specify the "public" subnet range you want to allow (your data center range for example). These new firewall rules must have a lower value at priority to have more preference over the existing ones. Once you validate is working properly you can delete the old ones Video GCP Firewall.
I hope that helps, if you need more assistance just write me a comment
Your problem is very similar to configuring the Google Identity Aware Proxy, which is part of the Google Beyond Corp architecture and, providing your users have Google IDs is very effective.
The docs explain the process for setting up the IAP but it also helps explain how to configure the moving parts. You need to:
Set your A record on your DNS to the public front-end of your load balancer
Configure your firewall rule on your GCE instance to not permit any traffic from the Internet, but only allow from the load balancer. The load balancer has a helpful graphic to show the rules.
Configure your load balancer back end to direct traffic from your front-end to the GCE instance. I have TLS over the internet to the LB and then HTTP from the LB to my instance but you don't have to
Your load balancer will then take the HTTP/S traffic and forward to the back end using the forwarding rule that you set up when configuring it. If you try to go to the instance IP directly then the firewall will block you, for testing you can enable an allow from your client IP and then you will see that you don't get the headers
here's how I fixed this issue:
In your GCP Account.
Go to VPC Networks then to Firewall rules
You need to create 2 Firewall rules:
1) Allow all traffic coming from google health checks and your own load balancer.
Priority: 500
Direction: Ingress
Action on match: Allow
Target tags:if you want to apply this rule only to 1 instance, then, open the VM Instance, edit it, create the specific network target tag, save it and then, add it here.
IP ranges: 35.191.0.0/16 and 130.211.0.0/22 https://cloud.google.com/load-balancing/docs/https#source_ip_addresses
2) Deny all traffic.
Priority: 900
Direction: Ingress
Action on match: Deny
Target tags: put here the same network target tag(s).
IP ranges: 0.0.0.0/0
That's it. If you put the IP of the VM Instance in the your browser, it will fail. The access will be forced through the Load Balancer.
In the GCP project menu
I have a Azure Traffic Manager over a geo distributed cloud service. I need to lock down my cloud services which are primarily web apis so that they are accessible to only a certain range or IP ADDRESSES. Is there a way to achieve this? Or may be there are ways to restrict IP addresses on cloud services. But with a combination of traffic manager on top of that would that work?Does traffic manager flow the source ip address to the cloud services?
Traffic Manager cannot filter traffic. It just responds to DNS queries from clients.
The source IP address will be the original one because the traffic doesn't go through Traffic Manager, it only tells the caller where to go, and the caller then calls your service directly.
Late to the party but: if you ended up using a whitelist on for example an Azure App Service than you will need to add the addresses of Traffic Manager as well. Otherwise Traffic Manager will not be able to check the health of your App and report it as degraded.
You can find it here: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-faqs#traffic-manager-endpoint-monitoring
Direct link: https://azuretrafficmanagerdata.blob.core.windows.net/probes/azure/probe-ip-ranges.json
Also late to the party but we were restricting our App Services by IP address and all of a sudden our traffic managers started to display degraded after working fine for years. After lots of investigation we think that Azure added some new traffic managers that were on different IP addresses so they were getting blocked by our IP restrictions. The original restrictions had included a small range of IP addresses for the traffic manager but this list looks like its expanded. The best solution is to allow the traffic manager through, not based on its IP address buts its service tag as below :