Problems using App Gateway as Origin with Azure Frontdoor Premium (Preview) - azure-application-gateway

I am trying to deploy n Azure Frontdoor Premium Resource (preview) with application gateway as the origin, it will send traffic to app gateway via the private link service, however I am facing this blocker as shown in the image below, my question is
Specifically to app gateway what does target sub resource mean? I understand from Microsoft docs that with app resource as origin you could leave it blank.
also note if i click target sub resource it shows no available items.
Any pointers would be much appreciated.
Thanks

Unfortunately, this feature is not supported in azure as Private Link is in private preview on Application Gateway. At present, Private Link Service is only supported on Standard Load Balancer. Hence, sending traffic to App gateway via Private link service is not possible without getting onboarded to the Private preview feature via a Microsoft support request.
I had also tried deploying Azure Frontdoor Premium Resource (preview) with application gateway as the origin no available item is showing in Target Resource.
Azure Front Door Standard/Premium (Preview) is currently in public
preview. This preview version is provided without a service level
agreement, and it's not recommended for production workloads. Certain
features might not be supported or might have constrained
capabilities. For more information, see Supplemental Terms of Use for
Microsoft Azure Previews
However, if needed found one template which is created by community team to create Front Door Standard/Premium with Application Gateway origin:
https://azure.microsoft.com/en-in/resources/templates/front-door-standard-premium-application-gateway-public/ by providing the host name only and uses an NSG and WAF policy to validate that traffic has come through the Front Door origin.

Related

Can Azure B2C Application Registration for ASP.Net MVC also be used with Xamarin IOS and Android Apps

I have a website which is currently live and uses Azure B2C to manage user authentication. The site has been so successful that I have decided to build App (IOS and Android) versions of the site using Xamarin.
My 2 questions are:
Can I use my existing Application Registration in B2C to authenticate both my MVC and Native Apps. If so is this done via the Allow Public Client Flows Radio button under the Advance Settings Section of the Authentication tab in Azure B2C? Will turning this from No to Yes impact the running of my registration for the website (as the system is live with thousand of users I am very wary of making updates to B2C Settings.
What is the best way for testing changes to Azure B2C? Is there an easy way to create dev environments that can then be flipped to live, switching out the live version with the dev environment?
Any help will be gratefully received.
J
Can I use my existing Application Registration in B2C to authenticate both my MVC and Native Apps. If so is this done via the
Allow Public Client Flows Radio button under the Advance Settings
Section of the Authentication tab in Azure B2C? Will turning this from
No to Yes impact the running of my registration for the website (as
the system is live with thousand of users I am very wary of making
updates to B2C Settings.
It's not recommended to use the same app registration in this case.
Please see the differences between public client and confidential client applications.
Confidential client applications are safe to keep application secrets while public clients not. If you use the same app registration, there is a conflict in keeping application secrets. And using the same app registration for multiple applications will make permission control more difficult.
So in this case, it's recommended to create a new app registration with Public client/native platform.
Turning Allow Public Client Flows from No to Yes doesn't mean to change it to native app type.
You could set "allowPublicClient": true, in the manifest file.
What is the best way for testing changes to Azure B2C? Is there an easy way to create dev environments that can then be flipped to live,
switching out the live version with the dev environment?
Creating a new app registration will not affect the use of your web application.

How to Stream logs from Azure Web Apps without signing into the Azure portal?

I have my .Net apps hosted in Azure Web Apps. Is there any way that I can stream/view the application/server log traces directly using without signing into the portal.
The reason why I need this is because, My contains the fellow developers who will not be having access to the Azure portal.
Please help if any solution for this. Thanks in Advance.
I have tried enabling the log streaming inside the Azure portal.But that doesn't meet my requirement.
Also tried storing the logs to the Azure storage account. But cannot find any opensource tools to fetch and read the logs. And feels this as a time consuming solution.
Mohit's recommendations are great and probably the best advice, however:
I have a suggestion which does not fulfil the requirement of not having a role in Azure, but may offer such an advantage that it could be worth it. Using the Azure CLI you can stream out the logs:
az webapp log tail --name appname --resource-group myResourceGroup
https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#streamlogs
You may be able to setup a role with sufficient constraints that all the developer can do is read the diagnostic logs:
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/roles-permissions-security
Also if you are not familiar with it, I'd suggest looking at Azure Application Insights, it does not have the super low level logs, but likely sufficient for diagnosing issues that a developer would typically run into. And has many advanced features that make it far easier to diagnose things than looking at log files.
https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview
Simplest way to achieve that is to use storage account and container for application and diagnostic logging.
To enable diagnostics for your Azure web app, you can do the following:
Log in to your account at https://portal.azure.com/.
Go to your Azure Web App and select Settings > Diagnostics logs.
For Application Logging (Blob), click On and set the parameters.
Set the Level for the logging.
For Storage Settings, click > and select the Storage Account and Container.
This is the Storage Account and Container that Azure will use to store logs for the Web App. Make note of this information because you will need it to set up a log collection job in USM Anywhere. You can click + Storage Account to create a new storage account or container, or select an existing one.
For Web server logging, select Storage.
Click Storage Settings and select the same storage account and container that you set for the application logging.
Once done then you can share the Azure storage container using SAS shared access signature.
SAS will having a URI which will have the predefined access on the container, By this way you will be able to see logs without accessing Azure portal.
A shared access signature (SAS) is a URI that allows you to specify the time span and permissions allowed for access to a storage resource such as a blob or container. The time span and permissions can be derived from a stored access policy or specified in the URI. We’ll cover both of these in detail later.
You can refer below docs for reference.
https://blogs.msdn.microsoft.com/jpsanders/2017/10/12/easily-create-a-sas-to-download-a-file-from-azure-storage-using-azure-storage-explorer/
https://www.red-gate.com/simple-talk/cloud/platform-as-a-service/azure-blob-storage-part-9-shared-access-signatures/
https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/azure/azure-enable-diagnostics.htm
Hope it helps.

How to integrate two cloud application in a fiori launch pad

I have a requirement where i need to open two different cloud applications for example one hosted in SAP Cloud Platform and another hosted in IBM's cloud environment from the SAP Fiori Launch pad probably using two different tiles and the application should open within the same window.
SSO configurations are already in place where in the IBM system can be accessed when user logs into SAP cloud platform.
Regards,
Smith.
When you are creating a tile, make sure you give the URL of app which is targeted to app in IBM system as a Target URL for the tile configurations under Navigation.
Make sure you enter protocol specifier like http or https without which this will fail.

Microsoft Graph API V2 application add static permissions failure

I am having problem migrating to Microsoft graph V2 applications, from V1 Applications.
As part of the backward compatibility offered by the new V2 applications, I can see the applications form the original V1 applications portals (old and new), however I cannot modify the application due to unknown errors (see attached screen shots).
The reason I want to use the original portal is to add permissions to other applications (In the documentation of V2 its called 'static permissions') such as 'Office365 management activity API', I think it is possible using '/applications' resource but I didn't find in the documentation how to do it.
Does someone encountered such problem and know how to overcome it or used the Graph API to get permissions for other Microsoft REST APIs?
For v1 apps, you should use the "App Registrations" blade in the newer Azure Portal (portal.azure.com). This blade has a "Required Permissions" section where you can add different permissions for different APIs.
For v2 apps, you should use the Application Registration Portal (apps.dev.microsoft.com). This portal has a "Microsoft Graph Permissions" section where you can add different permissions for the Microsoft Graph.
At this time, v2 apps only support permissions to the Microsoft Graph, if you want to access other APIs (like the Office 365 Management Activity API) you'll need to use v1 apps.
You should not use the classic Azure portal (manage.windowsazure.com) for anything really at this point.

callbackurl while connecting to vso using oAuth

I am trying to connect to VSO using oAuth.
First step is to register our app and configure a call back url.
I am creating a console application to test the connectivity.
Please let me know how to configure the callback url.
Firstly, please take note that: Right now, it is only supported to register web application, it is impossible to register a console app.
So, you need to have a web app first, you can download and use this sample project for a quick start: https://vsooauthclientsample.codeplex.com/
After you download the app, open it in VS2013 or higher, right-click it in Solution Explorer and select Publish.
On the Publish Web page, select Microsoft Azure Website option to publish that web app to Azure.
Then, the web app is published to Azure with the URL similar to: https://vsodevabc.azurewebsites.net
And when you register this web app, you can set Application Website and Callback URL to be the followings. (note: the callback URL should be https://yoursite.azurewebsites.net/oauth/callback, where "yoursite" is the name of your Azure web site)
When using VSO (now called Team Services) with oAuth2.0 you do have to provide callback url endpoint that Microsoft's Team Services can call directly. So you need to have your application's callback url endpoint published such as publishing to Azure or Aws or any hosting provider that will allow you to have publically accessible url. In the FAQ under Team Services Rest API, there is mention of this approach for debugging purposes:
Visual Studio Team Services does not allow localhost to be the hostname in your callback URL. You can edit the hosts file on your local computer to map a hostname to 127.0.0.1. Then use this hostname when you register your app. Or, you can deploy your app when testing to a Microsoft Azure website to be able to debug and use HTTPS for the callback URL
Visual Studio Team Service's Rest API oAuth

Resources