We have used azure traffic manager and azure application gateway with a Web application firewall for MVC C# web Application which hosted on the Azure virtual machine.
For security reasons, we need to allow specific IP addresses and block access at the country level.
But, We are unable to find a way to block access at the country level and also allow specific IP addresses from that country.
Can you please guide a way/ feasibility to achieve this?
Does it need any other azure service or can be it achieved with existing services/configuration.
We are unable to find a way to block access at the country level and
also allow specific IP addresses from that country.
From the network connectivity, the IP address only identifies the terminal device location. Also, the device location from a country is included in that country level. If you select to block some countries (for example, you can look at geo-filtering with WAF for Azure Front Door) but this will block all IP addresses from that country as the WAF should work in front of the web app service or application gateway. So I don't think it's possible.
In fact, what you want is to allow some specific IP addresses, you can simply allow those IP addresses in the inbound rule of NSG which is associated with an application gateway subnet and whitelist your application gateway subnet in the NSG rule of backend Azure VMs without any other internet access. It will only allow that IP address to access your backend application through Azure Application Gateway. Read more details from this blog.
Related
I have backend and google endpoints service (both on cloud run). Endpoints service provides information from backend for authorized users. I want to make backend not accessible from outer internet. There are possibility to allow only inner connections by setting Ingress -> Allow internal traffic only. If I do that my endpoints service can't reach backend. All endpoints and backend connected to the same VPC. How can I exclude backend from outer internet? how I want it be
You have 2 solutions:
Continue to expose your backend service to the internet but make it secures (IAM protected service, deployed with --noallow-unauthenticated option). However, grant only the service account of your endpoint service to reach the backend. Like that all the unauthenticated and the unauthorized traffic will be filtered by GFE (Google Front End) and discarded automatically. Only allowed traffic will reach the backend. That solution has the advantage to allow you to also test the backend in case of issue for example, with the correct permissions.
The second solution is exactly what you want:
Set the backend ingress to internal only
Create a serverless VPC connector, add it to the endpoint service with the egress control to ALL.
Like that, all the traffic of the endpoint will be routed through the VPC connector, land in your VPC and then, internally access your backend. Why egress=all?? Because, even if you set your backend ingress to internal, the Cloud Run URL is still public (but an additional check is done to be sure that the traffic comes from your VPC, it's named authenticated network traffic)
At the end, it's always authentication based (on network source or on service account identity). The serverless VPC connection costs about $17 per month
I have an Angular web app i want to deploy using Google Cloud run. However I need the app be visible only from a list of predefined IP addresses.
Can I simply set the ip allow/deny rules under Google cloud platform firewall or do I need another method?
Thanks in advance,
Nico
Google is clear about this point:
Don't trust the network
By the way, the Google top priority in development don't rely on IP origin but on token for identity and authorization.
For Cloud Run, you have Google Front End (GFE) which act as proxy, check the authentication (in case of private Cloud Run), ensure that the SSL certificate is deployed and valid,... It's not possible to customize it with IP filtering
Even if you plug a Endpoint (ESP) gateway in front of your Cloud Run service, it is not possible to filter on IP among all the security method. The easiest for your should be to use API key, I wrote an article on this
In the futur, Cloud Run will be compliant with Loadbalancer. Not sure that will be enough for filtering IP.
All of this for telling you that, if you want to implement IP filtering in top of Cloud Run (and Cloud Function), you have to implement it by yourself.
There is currently no way to make Cloud Run accessible only for certain IPs.
However, Cloud Run services are deployed privately by default and are secured by IAM.
If you need to authenticate users, the provided ways are to use Google Sign-In or, should you want to use other credentials, Identity Platform or Firebase Authentication
I have mapped the DNS of application gateway (v2) to the public domain registry and I am able to access the backend pool (web app) from the public domain (mydomain.com). But I am also able to access the web app from DNS/IP of application gateway.
I want to restrict the access of web app from the DNS/IP of application gateway.
thanks,
regards
Sakaldeep
If I'm understanding you correctly, you want to access the web app only from the DNS/IP of application gateway. If so, you could add an access restriction rule to your web app.
You could open Network>Access Restrictions and click on Configure Access Restrictions in your app service on the Azure portal. Ref: adding and editing Access Restriction rules in the portal. You can click on [+] Add to add a
front-end IP address of application gateway in the access restriction rule.
If you only want to access the web app from the public domain (mydomain.com) but not from the IP/DNS of application gateway, but still the traffic should go through application gateway (domain->App GW->Web App) then configure Multi-site Listener even you have only one site.
You will see below when you hit through IP/DNS of application gateway but still able to access through the domain. Also, configure restriction at the web app level.
404 Not Found
Goal: Automate Office 365 domain verification and DNS service record retrieval. Retrieve a list of supported Microsoft services for verified domains.
Solution: Retrieve DNS records using
GET /domains/contoso.com/serviceConfigurationRecords
and configure the domain.
Issue: When a domain is added to a tenant and verified, none of the DNS records can be retrieved via Graph because the domain does not support any services (although, the admin portal UI does display the service DNS records immediately following domain verification). To update supported services for a domain, I need to know which ones can be supported.
Question:
Is there a way to retrieve the list of all available services which I can use to patch the domain?
Can I patch the domain in a way which will automatically set it to support all the available services?
Any other idea?
I am working on an C#.NET application for handheld devices with Windows CE 2003, these devices connect to a web service, hosted on a local web server, for connection to database.
Problem I am facing: I have to keep web service directory security as Anonymous because handheld device cant be authenticated from AD and thats why I cant use windows authenticated security settings.
Can anyone suggest me how do I ensure security of web service having anonymous security??
Cheers :)
I have to keep directory security as anonymous for pocket pcs to use the webservice, but we can control these permissions by granting access on the basis of IP addresses through IIS. For this just go to IIS and right click on web service folder and go to properties. Then in derectory security tab, IP address and domain name restrictions section provides this functionality of restricting users on the basis of their IP or domain.
I hope it will help others too.
Cheers.