0

I have an ILB ASE v2 with WAF (public IP). The ASE has its subnet where all web apps reside. For obvious security reasons I think I need to lock down access from Internet and leave only HTTPS open. But when I do that I can't see app services info in the portal. So what should my NSG look like for this subnet?

Also, WAF has its own subnet. It doesn't have NSG assigned either. Should it have one?

AlexB
  • 4,167
  • 4
  • 45
  • 117
  • What's the specific error message? Do you follow [this blog](https://sabbour.me/how-to-run-an-app-service-behind-a-waf-enabled-application-gateway/) to setup ILB ASE+WAF? You want to`leave only HTTPS open.`, How do you configure this for HTTPS? It's an HTTPS listener? – Nancy Apr 01 '19 at 06:27
  • No message, the portal just can't load anything related to those app services. No, I follow official docs. Let me try something unofficial now... yes, the listener is HTTPS only. So are app services. – AlexB Apr 01 '19 at 15:03
  • ok, I read that blog post. It's for newbies. not relevant to my question – AlexB Apr 01 '19 at 15:12
  • The app GW subnet and ASE subnet should be in the same VNet. Any error message when you access the web app via app GW? What's the backend health in the app GW portal? Check if [this](https://learn.microsoft.com/en-us/azure/application-gateway/create-gateway-internal-load-balancer-app-service-environment) helps? – Nancy Apr 02 '19 at 06:20
  • they are in the same subnet obviously. I'm trying to restrict access by using NSG. so I thought I'd add NSG to ASE subnet. but adding it blocks the portal from getting information about apps. and my question is HOW would you restrict access to the apps that are inside ASE (like HTTPS only) – AlexB Apr 02 '19 at 16:25
  • If you want to restrict the app with HTTPS in ASE, you could add the rules like this: `rule name: inbound-https 443 source (ASE subnet address range); rule name outbound-443 443 destination (ASE subnet address range)` in this link https://learn.microsoft.com/en-us/azure/app-service/environment/network-info#network-security-groups – Nancy Apr 03 '19 at 02:44
  • please read my question again. this is exactly what I did! – AlexB Apr 03 '19 at 14:35
  • `but adding it blocks the portal from getting information about apps`, if you means kudu site, you can directly access it via kudu site URL instead of from the portal, any other specific worries? Check here https://learn.microsoft.com/en-us/azure/app-service/environment/network-info#portal-dependencies – Nancy Apr 03 '19 at 23:40
  • NO, not kudu! look, let someone else who actually knows this stuff answer the question. – AlexB Apr 04 '19 at 10:41
  • alvipeo, can you please reach out to us at azcommunity@microsoft.com with your subscription ID and the URL of this post? We would like to work closer with you on this matter. – Bryan Trach-MSFT Apr 13 '19 at 03:11
  • sent yesterday. – AlexB Apr 16 '19 at 15:18
  • sent just now .. – AlexB Apr 19 '19 at 14:51

2 Answers2

0

When you add a NSG to the AppSercice subnet with Deny All internet traffic, it is blocking the portal to fetch information from App Device. Try adding a NSG rule with greater priority with source IP as Azure Cloud tag and allow it.

So you are blocking all Internet traffic and allowing Azure IPs for communication.

Let me know if it works.

msrini-MSIT
  • 1,444
  • 1
  • 7
  • 11
0

Here's the resulting rules set for ASE subnet NSG:

enter image description here

you might want to add HTTP to it if you need it.

AlexB
  • 4,167
  • 4
  • 45
  • 117