0

In the webserver logs (using az cli) I can see Get requests with the user agent AlwaysOn and the IP address 10.0.128.25

Can this IP address be reliably used for setting an allow IP restriction?

This IP address isn't documented in https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-addresses which seems to cover discovering public IP addresses, so I' wary of using it?

In the logs I also see IPv6 ::1 indicating localhost, so I'd guess 10.0.128.25 is also the localhost?

2018-08-30 10:48:19 EXAMPLESITE GET / X-ARR-LOG-ID=ExampleLogId 80 - ::1 AlwaysOn ARRAffinity=ExampleArrAffinityId - EXAMPLESITE.azurewebsites.net 200 0 0 2942 695 108
2018-08-30 10:48:54 ~1EXAMPLESITE GET / - 80 - 10.0.128.25 AlwaysOn - - examplesite.azurewebsites.net 200 0 64 0 457 46463

I've tried using app service console and Kudu powershell console to see if it's the IP address of the instance, but I'm unable to discover more as ipconfig nor Get-NetIPAddress appear to work in the sandbox.

I'd guess 127.0.0.1 wouldn't work, even if it were the same machine, as IIS is interpreting it as another IP?

On the two app service plans I've tried it on so far, it's the same IP.

Alex KeySmith
  • 16,657
  • 11
  • 74
  • 152
  • Can you show your log? and do you want to confirm if this IP 10.0.128.25 can be set for an allow IP restriction? – Nancy Aug 31 '18 at 03:19
  • Thanks @NancyXiong-MSFT I've added my logs with the site name redacted. I'm not sure what the ~ represents in the logs. Interestingly the IPv6 request has arr affinity details, whereas IPv4 doesn't. I understand from the logs that 10.0.128.25 is the AlwaysOn http request, but what I'm hoping to learn is the internal implementation, what is 10.0.128.25 and is it static? – Alex KeySmith Aug 31 '18 at 07:55

1 Answers1

2

There are two sites for each App Service Web App, 1 is your normal WebApp and the 2nd SCM site (where Kudu runs). Each gets a ping, which is why you see two (the ~1 name is the SCM) site.

All Azure Web Apps (as well as Mobile App/Services, WebJobs and Functions) run in a secure environment called a sandbox. Each app runs inside its own sandbox, isolating its execution from other instances on the same machine as well as providing an additional degree of security and privacy which would otherwise not be available.

Yes, connection attempts to local addresses (e.g. localhost, 127.0.0.1) and the machine's own IP will fail, except if another process in the same sandbox has created a listening socket on the destination port. Rejected connection attempts, such as the following example which attempts to connect to 127.0.0.1:80, from .NET will result in the following exception: Exception Details: System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:80 Applications cannot connect to private IP address. Instances can move around, you may checkout this discussion thread which talks about dealing with internal IP address: https://social.msdn.microsoft.com/Forums/sqlserver/en-US/182f3673-18fc-4ade-90bf-22111f566f85/need-internal-ip-address-of-nodes-withing-a-web-app?forum=windowsazurewebsitespreview

AjayKumar
  • 2,812
  • 1
  • 9
  • 28
  • 1
    Thanks Ajay, that explains nicely what the ~ is and also why only one of the requests has the affinity cookies. I'm familiar with the sandbox for functions on a consumption plan but forgot it applied to App Service Plans in general even on non-shared tiers. Your networking explanation helps thanks, but I'm looking to understand the incoming traffic from 10.0.128.25 not traffic I have created myself. – Alex KeySmith Sep 04 '18 at 08:19
  • 1
    Yes, its from the localhost. – AjayKumar Sep 07 '18 at 09:57