1

We have an Azure web app behind the Azure Application Gateway. Network restriction has enabled at web app level (only application gateway can access the web app). Incoming traffic comes through traffic manager but while web app response then it directly communicates with third party services. It does not go through the application gateway.

Is there any way to force the web app outbound traffic to go through an application gateway.

thanks

Sakaldeep Yadav
  • 392
  • 1
  • 6
  • 20

3 Answers3

2

Azure App Services use different outbound and inbound interfaces.

For firewall, as the article says:

You can't know beforehand which IP address a given app instance will use to make the outbound connection, so your back-end service must open its firewall to all the outbound IP addresses of your app.

https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips

So, I do not think that is possible.

Ivan Ignatiev
  • 1,023
  • 5
  • 15
  • Just for information there is uservoice for it, so you can add your use case to feedback to the product https://feedback.azure.com/forums/169385-web-apps/suggestions/16790656-add-static-ip-address-for-outbound-traffic-without#{toggle_previous_statuses} – Ivan Ignatiev Feb 13 '20 at 15:42
  • Can you please explain a bit more 'Azure App Services use different outbound and inbound interfaces'. I didn't find this statement in any MS doc. thanks. – Sakaldeep Yadav Feb 14 '20 at 11:19
  • @sakaldeep Yadav, please read the article by link I have put in answer. If WebApp inbound and outbound IPs are different it means that it does not use the same network interface for inbound and outbound traffic – Ivan Ignatiev Feb 15 '20 at 13:42
  • Is there any solution for this? Not ASE as it has very long scale out time. Thanks – Sakaldeep Yadav Feb 19 '20 at 15:45
  • @SakaldeepYadav From my experience I do not see any solution for now. There is VNet integration feature in progress. Current feature Preview version does not allow to apply Routing Table to WebApp subnet to reroute the outbound traffic, may be it will be changed in GA version. – Ivan Ignatiev Feb 19 '20 at 15:52
  • thanks for this. There are many e-commerce companies using the web app and i am wondering how they deal with this issue. How their application makes communication with third-party services like the payment system in case of an outbound IP change. Do they white-list it manually after every time IP got changed? – Sakaldeep Yadav Feb 20 '20 at 10:02
  • @SakaldeepYadav please, read the article, there are fixed number of possible IP addresses for WebApp: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#find-outbound-ips , those IPs changed only in case of vertical scaling (pricing tier change). From my personal experience, it is very hard to deal with IP authentication in any cloud, so you need strong authentication method on any third-party service. In the worst case, you can depoy a VM and proxify needed outbound traffic programmatically. – Ivan Ignatiev Feb 20 '20 at 10:13
  • @SakaldeepYadav I also recommend to look on Zero Trust concept which is principal approach for cloud services : https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture – Ivan Ignatiev Feb 21 '20 at 16:29
  • @ Ivan Ignatiev Can you please share some resources on this ". In the worst case, you can deploy a VM and proxify needed outbound traffic programmatically". – Sakaldeep Yadav Mar 03 '20 at 09:39
1

I got the workaround solution for this issue using Azure NAT Gateway. Please refer to the below link for details. https://sakaldeep.com.np/1159/azure-nat-gateway-and-web-app-vnet-integration-to-get-static-outbound-ip

Sakaldeep Yadav
  • 392
  • 1
  • 6
  • 20
  • Hi Sakaldeep Yadav! Could you please share deatils on your solution. How did you define the UDRs? I was not aware of your question, and I have just concluded that this is not possible in my own post https://stackoverflow.com/questions/64182662/static-ip-for-azure-app-service-using-vnet-integration/64646844#64646844. Hope I'm not correct:) – magnarwium Nov 03 '20 at 07:27
0

As of last week this is now supported with Azure NAT gateway. https://azure.github.io/AppService/2020/11/15/web-app-nat-gateway.html

magnarwium
  • 235
  • 2
  • 14