We're looking to use Application Gateway as a frontend\proxy for a website we host onsite. The website has a public IP but we'd like to restrict access to the site to only traffic coming from the Application Gateway. Is there a way to determine what IP the traffic would be coming from as it exits Azure? Is it like other Azure traffic where it could come from any IP subnet they have assigned to that specific region? I haven't seen this question asked and it's not directly referenced in any of MS documentation that I can find.
Thanks!
Not sure why you want to restrict access to the site to only traffic coming from the Application Gateway because if you configure it and add the website in the backend of Application Gateway. The traffic from a client will always reach the website through the Application gateway as the Application Gateway works as an application proxy by accepting traffic and based on rules that are defined with it, routes the traffic to the appropriate back-end instances.
You may want to know to restrict access on the application gateway subnet via NSG. Then the inbound or outbound traffic in the Application Gateway subnet will be filtered via NSG.
Network Security Groups (NSGs) are supported on the application
gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
Hope this will help, let me know if you have any other concerns.
Update
If you just want to whitelist the Azure service on the firewall, you can read the Azure Datacenter IP Ranges. You can figure out which datacenters your service are located in then narrow down the IP ranges.
Related
I have a both a multi and single site Application Gateway with a Web App backend pool. Settings at the backend pool point to port 80 (http).
I am using a personal domain of example: www.mydomain.club and using either web host or DNS. When I enter www.mydomain.club into the browser, it resolves to https://mywebapp.azurewebsites.net:80 in the browser bar, with error message on page indicating that I cannot reach the site.
It seems like the DNS/host recognizes the domain resolving required, but tries push for port 443 (https), but indicates there is a port 80, while returning the web app address (even though I'm going through the application gate). If I restrict access the web app, I get a 401 error.
I have tried:
CNAME pointing to the DNS name for Application Gateway IP - mydns.eastus.cloudapp.azure.com
A recording using both # and WWW pointing to the Gateway IP.
Overriding the host name in the backend settings.
• As seen from the URL, i.e., ‘https://mywebapp.azurewebsites.net:80’, the Azure webapp website points to ‘HTTPS’ port 443 but you might have configured the webapp’s website incorrectly in the backend pool for ‘HTTP’ port 80. Due to which when you are trying to access the ‘www.mydomain.club’ domain name over the internet, it is redirecting you to the ‘https://mywebapp.azurewebsites.net:80’ URL as you have configured it so in the application gateway’s backend pool.
Thus, would suggest you to please reconfigure the ‘https://mywebapp.azurewebsites.net:80’ to only ‘https://mywebapp.azurewebsites.net’ in the application gateway’s backend pool. This will ensure that the website ‘www.mydomain.club’ is redirected correctly to the above said website only and the pages hosted in that webapp will be displayed correctly.
• Secondly, please do ensure that you have created an ‘A’ host record for ‘www’ in the public DNS zone for ‘mydomain.club’ domain which will ensure that the website is hosted on a publicly available IP address and domain name. Also, since you want the website domain name, i.e., ‘www.mydomain.club’ to be redirected to the application gateway URI/FQDN, i.e., ‘xyz.eastus.cloudapp.net’, then create a CNAME record for ‘www.mydomain.club’ address with the alias as ‘xyz.eastus.cloudapp.net’. This will ensure that when trying to access the domain name ‘www.mydomain.club’, it will be redirected to the application gateway’s URL and will be displaying the backend site web page accordingly as defined in the routing rules and the listener rules.
This will ensure that, you will not encounter 401 error when accessing the website DNS, i.e., ‘www.mydomain.club’ and it opens correctly.
Please find the below documentation link for more details: -
https://learn.microsoft.com/en-us/answers/questions/379193/application-gateway-with-a-custom-domain-name.html
Greeetings,
I have the following setup
Application Gateway -- Private Endpoints -- App Services
The application gateway is in its own resource group along with the virtual network in the 1.0.0.0 subnet.
The private endpoints and app services have a resource group per resource. So for me that would be 5 Services plus the main group with the AG.
I created all elements via the Portal.
After setting up the backend pool (for starters just for one service) and using the basic settings on all the elements (listeners, rules) I wanted to connect to the gateway public ip or dns name, however all I receive is a timeout, without any hint whatsoever in the monitoring as to what could cause the problem.
The application gateway does not even register a request.
Does anyone know what could be the cause of this? Could the Public IP be faulty for some reason? I even tried disabling the private endpoint on one of the services for debugging purposes but to no avail, seems like that is not the cause.
Any help is appreciated :)
Connection Timeout means that one or more than one server could not
complete your request within some period and does not receive a timely
response from another one that works as a gateway or proxy i.e; did
not complete within alloted time.
Initially try to reload the page in different browser or even on different devices.Clean the site from spam and cookies.
Please check if any of the below possible causes:
(main cause)REQUEST TIMEOUT : The number of seconds that
the application gateway will wait to receive a response from the
backend pool before it returns a “connection timed out” error
message.
When a user request is received, the application gateway applies the
configured rules to the request and routes it to a back-end pool
instance. It waits for a configurable interval of time for a response
from the back-end instance. By default, this interval is 20 seconds.
Solution: Reference >> Try Setting request-timeout :Application Gateway allows you to configure this setting via the
BackendHttpSetting,
Ex:
New-AzApplicationGatewayBackendHttpSettings -Name 'Setting01' -Port 80 -Protocol Http -CookieBasedAffinity Enabled -RequestTimeout 60
Also see App gateway
-troubleshoot-app-service-redirection-app-service-url.
NOTE: If your connections are getting dropped at less than the request
time out seconds set, then we need to find which connection is
trigged. And may need to Contact azure support
In addition to server timeouts, there are other causes
See if it due to default health check probe:like 1) Back-end VMs or
instances of virtual machine scale set are not responding to the
default health probe. 2) Invalid or improper configuration of custom
health probes. 3) Azure Application Gateway's back-end pool is not
configured or empty.
Troubleshoot problems-with-default-health-probe and custom healtH probe : Application gateway automatically configures a
default health probe using properties of the BackendHttpSetting but
Custom health probes allow additional flexibility to the default
probing behavior where you can configure the probe interval, the URL, the path to test, and how many failed responses to accept
before marking the back-end pool instance as unhealthy.
Also check the app service time outs : see appgw-timeouts and app
service time out setting
Other causes to check
Slow server, Problems with the firewall,network connection
If NSG, UDR or Custom DNS blocking access to backend pool members.
If VMs or instances in virtual machine scale set are healthy.
For those : Check the logs and DNS records and try by disabling the proxy or temporarily disabling the CDN
References:
Azure application gateway throws 502 when application sends 401 -
Stack Overflow
Azure Application Gateway error 502 when using application gateway
-Stack Overflow
I tried to use the NEDNSProxyManager to redirect the dns to my own server but failed to do that.
It should be able to do that as based on Apple Documentation
A DNS proxy allows your app to intercept all DNS traffic generated on a device. You can use this capability to provide services like DNS traffic encryption, typically by redirecting DNS traffic to your own server. You usually do this in the context of managed devices, such as those owned by a school or an enterprise.
Any help is much appreciated.
I am using google compute engine instances for a B2B customers, I am developing a feature that would allow customers to use their own smtp servers to send emails built via my application. However, the 3 classic SMTP server ports are blocked by Google (https://cloud.google.com/compute/docs/tutorials/sending-mail/).
I would like to find the most maintanable way to still access those SMTP servers.
The tech stack is Ruby On Rails / ActionMailer.
Any idea is welcome.
I assume your application is running inside the GCP. Thus, my thought is that you can configure your application to send emails via Google trusted third parties listed on this article, then your customers should be able to relay their SMTP traffic using 25, 465 or 587 port to your application and send out emails. This is feasible if all servers are running on the same project or connected through Cloud VPN, Shared VPC or VPC Network Peering.
I'm developing a web service that needs to connect to another web service and register a web service endpoint that notifications can be sent to.
e.g. Server A sends a registration request to Server B, containing the URL on which notifications will be sent (HTTP PUT).
If Server A (the development server) was on a public IP, all would be well, but at the moment its on my development laptop which is connected to the internet via a Wifi router which connects to Personal Hotspot on my iPhone. This is actually the most useful internet connection I have available most of the time. Neither the router nor Personal Hotspot (AFAIK) allow port forwarding or DMZ.
For development purposes I would like the notifications to come through to the service under development on my laptop. I can specify a static IP address when registering with the third-party web service, and a specific port number if needed.
My only thought was to use a VPN connection from the laptop to the internet, therefore masking the existence of the inbound route.
The VPN would therefore need to allow inbound packets through to the server. I've looked at the VPN service by VPNUK.info who I currently use, and they have both a dynamic IP and static IP version of their product, and the static version seems to suggest that inbound is possible.
Can anyone suggest how or if this would work? Any specific setup instructions? I presume once the VPN is established, and requests to the VPN Static IP address will be handled by the server on the development laptop (which is the device starting the VPN connection).
The development laptop is a Macbook running OS X Yosemite.
The web server is built using Node.js and Express.
I ended up signing up with VPN UK for a dedicated static IP VPN service. This gives a single publicly accessible IP address to the VPN connection.
Once the Macbook establishes the VPN, any requests to that IP address are routed to the Macbook as requested, so it doesn't matter where its located or the type/complexity of the internet connection.