1

I have few problems regarding Azure Network Security Group. Currently I'm using Azure App Services to publish my website and in Azure, App Services, Network Side Controlled By NSG such as inbound and outbound security and other things.

I'm working with sagepay payment gateway.they asked me to do following steps in order to success my sagepay integration.

Please ensure that all of the following IP addresses are allowed
within your Server or Firewall:

For outbound traffic to our gateway:

195.170.169.9 – live.sagepay.com
195.170.169.8 – test.sagepay.com

For inbound traffic you only need to whitelist IPs if you are
The IPs from which we call back are:

195.170.169.14
195.170.169.18
195.170.169.15

The Subnet mask used by Sage Pay is 255.255.255.000

Please ensure that your firewalls allow outbound Port 443 (HTTPS
only!) and inbound Ports 443 (and optionally 80 HTTP) access in
order to communicate with our servers (on Simulator/Test/Live).

In my Network Group,

I just added Inbound rule to port 80,443 and whitelist IPs - 195.170.169.0/24 and did same thing to my outbound rule also.

but how do i suppoed to check these things are working or not? because still my web site cannot get respond from sagepay side(notification URL is also correct according to sagepay support team)

TDM
  • 115
  • 15
  • You say you're hosted in App Service, but then you mention NSG rules. NSG rules don't apply to App Service since that doesn't sit in a Virtual Network. Can you clarify? – evilSnobu Aug 06 '16 at 17:11
  • Yes i'm hosted my web site in app services.when we create app service ,we can create resource group also.so we can create NSG for that resource group.so i think NSG rules apply for same resource group app services also.if you want more details i can post image also. without this NSG how i suppose to give inbound rules and out bound rules in app services? can you please help me to solve this? – TDM Aug 06 '16 at 17:30
  • That's incorrect. A resource group is a just a logical wrapper. If you create a NSG and place it in a resource group it is not applied to anything. You have to explicitly do that (i.e. VM > Network Interface Card > apply NSG). NSGs do not apply to App Service (which is a PaaS offering and does not sit in a Virtual Network). – evilSnobu Aug 06 '16 at 17:39
  • For App Service you control ingress with `` in `web.config`: https://www.stokia.com/support/misc/web-config-ip-address-restriction.aspx. Since App Service only exposes public endpoints you can only list public IP space in ``. Look at App Service Environment if you need more control -- https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-control-inbound-traffic/ – evilSnobu Aug 06 '16 at 17:46
  • @evilSnobu what do you mean by ingress ? it mean inbound and outbound ip address? – TDM Aug 06 '16 at 18:05
  • ingress == inbound. You can't filter outbound traffic in App Service. It's "permit any any". – evilSnobu Aug 06 '16 at 18:18
  • thanks @evilSnobu. i tried to control my ingress in web.config.but that doesn't work – TDM Aug 06 '16 at 18:45
  • (Actually i'm new to Azure and web devolpment.but i'm trying to learn these things quickly.) – TDM Aug 06 '16 at 18:45
  • Make sure you have the right value for ``. It does work so double check your configuration. – evilSnobu Aug 06 '16 at 18:51
  • yes i did double check.(my inbound traffic ip you can check it in my main question) i tried few ways. but actually allowunlisted should be always true.other wise after i publish my web site i also cannot connect. but in Ipaddress also allowed true. that doesnt make any sence. did i do anything wrong? – TDM Aug 06 '16 at 19:12

1 Answers1

2

UPDATE (July 2020):

There's now a more elegant approach, use the built-in feature in App Service - https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-access-restriction-rules-in-the-portal

IP restrictions

My answer below is now deprecated.

Here's the answer for your follow up question in the comments.

<system.webServer>
    <security>
       <!-- this line denies everybody, except those listed below -->            
       <ipSecurity allowUnlisted="false">
           <!-- remove all upstream restrictions -->    
           <clear/>
           <!-- allow this network -->          
           <add ipAddress="195.170.169.0" subnetMask="255.255.255.0" allowed="true" />
       </ipSecurity>
    </security>
...
</system.webServer>

Expected result (when coming from a public IP address outside the allowed network):

$ curl -i http://{sitename}.azurewebsites.net/

HTTP/1.1 403 Forbidden
Content-Length: 58
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sat, 06 Aug 2016 19:46:04 GMT

You do not have permission to view this directory or page.
evilSnobu
  • 24,582
  • 8
  • 41
  • 71
  • I did that way but that doesn't work. why should i block my sagepay inbound ip addresses (195.170.169.0) ? i need to allow them to access. i don't think this process can do using web config ip security. – TDM Aug 07 '16 at 06:04
  • I should have payed more attention to your initial question. Just switch the statements around. See my edited answer. – evilSnobu Aug 07 '16 at 06:13
  • Its ok @evilSnobu, Actually if i do like this then after publish i also cannot access - You do not have permission to view this directory or page. because allowUnlisted="false" – TDM Aug 07 '16 at 06:27
  • Are you sure you're coming in from 195.170.169.0/24? I've just tested that snippet and it works as expected. – evilSnobu Aug 07 '16 at 07:14
  • Actually its not my ip range.thats sagepay ip range.how did you test that? is there any specific tools to do that? actually sagepay(payment gateway) need us to do this. For outbound traffic to our gateway: 195.170.169.9 – live.sagepay.com 195.170.169.8 – test.sagepay.com For inbound traffic you only need to whitelist IPs if you are The IPs from which we call back are: 195.170.169.14 195.170.169.18 195.170.169.15 so that's why i used this range for use sagepay 195.170.169.0/24 actually i need to allow those IPs inbound and outbound. – TDM Aug 07 '16 at 07:32
  • No need to whitelist anything since by default there's no IP restriction enabled in Azure App Service. Everything should just work as it is (without `` in). ``'s purpose is to RESTRICT access. – evilSnobu Aug 07 '16 at 08:16
  • Actually I have to do it in my NSG according to your link https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-control-inbound-traffic/ but thats little bit hard,lots of things to do. – TDM Aug 07 '16 at 14:48
  • App Service Environment is a very different service from App Service. You can do NSGs in ASE because you deploy that inside your Virtual Network. However your problem at hand is most probably code level rather than a port/host/IP restriction. I'd dig deeper into what your request to sagepay looks like and what comes back. – evilSnobu Aug 07 '16 at 15:31
  • actually code level is already done.in transaction i can connect with sagepay page.so payment part is done by sagepay level.i need to send my transaction data only.but with my transaction data , i need to send response URL.because after sagePay finish their payment side they send response to me(Payment succeed or not). but in my case i cannot catch that response. but i can connect to the sagepay and send my transaction data. – TDM Aug 07 '16 at 15:56
  • i need to do following part to get success from that. "For inbound traffic you only need to whitelist IPs if you are The IPs from which we call back are: 195.170.169.14 195.170.169.18 195.170.169.15" two day ago i got mail from sagepay i ll add part of that message here "The transaction log is not normally this long, I believe this is due to a problem connecting to your notification URL and you can see that we keep on trying. The below excerpt shows that we are comming back from the bank to tell you we have the money but we are not connecting to your notification URL." – TDM Aug 07 '16 at 15:57
  • So in order to do this i have to add VNET also... Actually in Azure,they have part by part to do.i dont know what to do sometimes. because i just create new app service.after that i just add new VNet. there is also separete NSG.need to combine those things. – TDM Aug 07 '16 at 16:00
  • My coding part is done i can confirm it because i'm doing sagepay mvc integration.this is that solution http://www.jeremyskinner.co.uk/2009/09/27/using-sagepay-with-asp-net-mvc/ i did communicate with jeremy also.there is nothing to do with coding level.he also checked my coding part.thats ok.problem is firewall part and app services doesnt have firewall – TDM Aug 07 '16 at 16:04
  • What is your notification URL? – evilSnobu Aug 07 '16 at 16:32
  • https://ubttimestravel.azurewebsites.net/PaymentResponse/Notify Actually this url generate seperatly. in my webconfig i need to define these things but this one is ok.this url generate successfully and send to the sagepay.they confirm it with their log messages. but problem is they cannot access it. – TDM Aug 07 '16 at 17:03
  • What's the error they get when they try to call your notification URL? Because this one http://ubttimestravel.azurewebsites.net/PaymentResponse returns HTTP 500 Internal Server Error. Maybe i don't have the right parameters to call it? Also, if i can call it and get a 500, why can't they? – evilSnobu Aug 07 '16 at 18:03
  • yes it have parameters.sorry i didn't mentioned it. Actually in that point i didn't get any response from them.i checked it with fiddler also. Error Message - Server error 5006: Unable to redirect to Vendor's web site. The Vendor failed to provide a RedirectionURL. this is my error.there can be 2 reasons for this error. 1 - Wrong Notification URL 2 - can be firewall block actually that response comes inside my server.i mean with relevant parameter they send it to my controller/action then my page navigate. actually i'm stuck with this part 4 days. – TDM Aug 07 '16 at 18:19
  • my web site hosted in Azure App Services lets say my site name SiteA. it have Resource group RG-SiteA. so I can Add NSG to that RG.lets say that is SiteA-NSG if i give my IP to NSG OB and deny access - then result should be cannot access to my website.but i can do it.i think you might understand the problem.i assume that NSG doesnt work without VNET and ASE. that doesnt matter same resource group.it doesnt work without VNET and ASE. this page clarify that situation. https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-control-inbound-traffic/ – TDM Aug 07 '16 at 18:25
  • The problem you're having is not NSG or Firewall related since none of that exists in App Service. Get the full error message + stack trace from Sagepay and start your troubleshooting there. – evilSnobu Aug 07 '16 at 18:41
  • actually i did that.they also asked me to check my firewall or server settings.but you gave me some good point i we can access it,then why they cannot.thats good point.with correct parameters we can access.so they also able to do that one..i ll add stacktrace as 3 parts.cannot add it in 1 comment because its too long. – TDM Aug 07 '16 at 19:16
  • You should probably remove those last 3 comments since they seem to contain lots of sensitive information. Definitely go back to Sagepay and try to fix this together, not much you can do here on SO about this. – evilSnobu Aug 07 '16 at 19:25
  • thanks for the help.yes i did remove that.but right now i'm using their test portal.so thats ok.i did everything to fix this.sagepay saying its my firewall or server issue.yes of course i need to communicate with sagepay and solve this together.thanks again.i tried to move this discusion to the chat.but i dont have enough reputaion to do it.sorry for that. if i solve this i ll post it here.thankz again. – TDM Aug 07 '16 at 19:32