I have mapped the DNS of application gateway (v2) to the public domain registry and I am able to access the backend pool (web app) from the public domain (mydomain.com). But I am also able to access the web app from DNS/IP of application gateway.
I want to restrict the access of web app from the DNS/IP of application gateway.
thanks,
regards
Sakaldeep
If I'm understanding you correctly, you want to access the web app only from the DNS/IP of application gateway. If so, you could add an access restriction rule to your web app.
You could open Network>Access Restrictions and click on Configure Access Restrictions in your app service on the Azure portal. Ref: adding and editing Access Restriction rules in the portal. You can click on [+] Add to add a
front-end IP address of application gateway in the access restriction rule.
If you only want to access the web app from the public domain (mydomain.com) but not from the IP/DNS of application gateway, but still the traffic should go through application gateway (domain->App GW->Web App) then configure Multi-site Listener even you have only one site.
You will see below when you hit through IP/DNS of application gateway but still able to access through the domain. Also, configure restriction at the web app level.
404 Not Found
Related
We have used azure traffic manager and azure application gateway with a Web application firewall for MVC C# web Application which hosted on the Azure virtual machine.
For security reasons, we need to allow specific IP addresses and block access at the country level.
But, We are unable to find a way to block access at the country level and also allow specific IP addresses from that country.
Can you please guide a way/ feasibility to achieve this?
Does it need any other azure service or can be it achieved with existing services/configuration.
We are unable to find a way to block access at the country level and
also allow specific IP addresses from that country.
From the network connectivity, the IP address only identifies the terminal device location. Also, the device location from a country is included in that country level. If you select to block some countries (for example, you can look at geo-filtering with WAF for Azure Front Door) but this will block all IP addresses from that country as the WAF should work in front of the web app service or application gateway. So I don't think it's possible.
In fact, what you want is to allow some specific IP addresses, you can simply allow those IP addresses in the inbound rule of NSG which is associated with an application gateway subnet and whitelist your application gateway subnet in the NSG rule of backend Azure VMs without any other internet access. It will only allow that IP address to access your backend application through Azure Application Gateway. Read more details from this blog.
I need to Register an App in the Azure Portal in order to retrieve a Token for my Windows Desktop application.
Do I select Web App / API or Native?
APPLICATION DETAILS
The main application is a Windows Desktop Executable. It does NOT run on a handheld device (e.g. SmartPhone) NOR is a web browser involved.
We've created a type library using EWS Managed API in order to create appointments directly in Exchange (we use Exchange On Line). Now we'd like to use OAuth APIs for Authentication.
Use Native. It corresponds to OAuth2 public client concept - an application that cannot use/protect secrets. Use WebApp/API for Confidential Clients, e.g. web apps (except SPA), batch services running in protected environments, etc.
We have a Vaadin / Spring Boot application which should be accessible via a browser and without login from intranet only.
We would like to implement SSO with the Windows login (Active Directory).
The goal is high security with least configuration as the application is sold to customers.
I came up with the following scenario:
receive the IP address of the client accessing the Vaadin-Application.
Look up in the Active directory / Domain controller, which is in RW mode and see which user is online with this IP address in this very moment.
check the rights of this user managed by the Active Directory Groups.
make application available with logged in user for the client requesting it.
IP spoofing is not possible (as the connection is bidirectional, also users have no access to network devices.)
this login process is only done once to initiate the session.
Am I correct with these thoughts? Can you see any security issues? Is it really necessary to use certificates?
What would you recommend if so? Kerberos, CAS, x509, SAML?
For example: http://www.behance.net/dev/register
requires website name for registering desktop app, but what could possibly be the website for such app??
How to register such non-browser based app?
That URL requires credentials so I cannot see exactly what they're requesting, but it probably wants the application's redirection endpoint.
In OAuth, client apps not only reside on a resource owner's device, but they must also operate a server that knows how to participate in one or more of the OAuth grant processes. The point of requiring a redirection endpoint is so the access token can be transmitted from the authorization server to the client app's server without exposing it to the other applications running on the resource owner's device.
I am working on an C#.NET application for handheld devices with Windows CE 2003, these devices connect to a web service, hosted on a local web server, for connection to database.
Problem I am facing: I have to keep web service directory security as Anonymous because handheld device cant be authenticated from AD and thats why I cant use windows authenticated security settings.
Can anyone suggest me how do I ensure security of web service having anonymous security??
Cheers :)
I have to keep directory security as anonymous for pocket pcs to use the webservice, but we can control these permissions by granting access on the basis of IP addresses through IIS. For this just go to IIS and right click on web service folder and go to properties. Then in derectory security tab, IP address and domain name restrictions section provides this functionality of restricting users on the basis of their IP or domain.
I hope it will help others too.
Cheers.