3

I'm trying to serve multiple Azure App Services behind an Application Gateway. These services should only be reachable through the application gateway endpoint. To achieve this, I've done the following:

  • Added a VNet
  • Added a subnet, and added all app services to it
  • Added an application gateway with appropriate rules for pointing to the app service
  • Added access restrictions to the app service to only allow the subnet of the application gateway, and the public IP of the application gateway

The health probe of the application gateway indicates the service is healthy (and thus reachable), but when I try to make a request to the service trough the gateway using Postman, I get a 403 IP forbidden error. However, when I add my local IP as an allowed IP address to the app service, the request comes through just fine

From what I've read online, adding the public IP of the gateway should be sufficient for allowing access through the gateway, but it seems that requests from my local machine are blocked. Am I getting something fundamentally wrong here?

Edit: I also tried assigning a front-end private IP address to the gateway and adding access for that in the app service, but that also did not work

Edit 2: My configuration

Access restrictions for app service: access restrictions

Backend pool: Backend pool

HTTP settings: HTTP settings

Listener: Listener

Rule: Rule

Dirk
  • 31
  • 1
  • 3

1 Answers1

0

From your description "Added a subnet, and added all app services to it", I assume that you are meaning integrating app with Azure VNet or enable the service endpoint with Microsoft.Web for the subnet. If so, you could remove them. Both are useless in this scenario.

To restrict the access through the gateway, you only need to add the frontend IP address to the Azure App Service access restrictions. For more details, you could refer to this blog https://www.cloudmanav.com/azure/restricting-appservice-accessible-via-appgateway/#

If you have NSG associated with the subnets, you could follow the prerequisites here https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview#network-security-groups-on-the-application-gateway-subnet

Edit

You may have redirection configured on your app service or have Azure Active Directory authentication, which causes the redirection. So when redirection happens, the client makes the request directly to app service URL Path contoso.azurewebsites.net/xxx instead of going through the application gateway URL path contoso.com/xxx.

To fix it, you could use a custom domain name to pass the same host name that the application gateway receives to the app service as well, instead of doing a host override. Get more details about this solution here.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • First of all, thanks for your help. I followed your steps; removed the app service from the subnet and added only the front-end IP of the application gateway as an allowed IP. However, now the health probe fails as well. Do I need to add access for the subnet of the application gateway? I did enable "pick host name from backend settings", as I understand is required for app services – Dirk Apr 21 '20 at 11:21
  • Hearth probe should match http setting. What is the backend health status? – Nancy Apr 21 '20 at 11:47
  • Seemed to be a health probe setting indeed, so that is now fixed. However, the original problem is still present. My suspicion is that somehow, the actual request is not made by the gateway but is directly routed to the application service from the IP of my machine, which is the reason it is being denied – Dirk Apr 21 '20 at 12:01
  • If you remove all rules in app service restriction,is it working through Gateway? – Nancy Apr 21 '20 at 12:08
  • Could you show app gateway configurations and app service restriction config i will check it tomorrow – Nancy Apr 21 '20 at 14:12
  • Hi, many many thanks in advance. I added images of my config with some data blurred out. For some reason SO won't display it inline, but you can click the links. If you need anything more, please let me know – Dirk Apr 21 '20 at 14:38
  • The configurations look like correct. Could you double confirm if the frontend public Ip of app gateway is the same IP added to the app service access restrictions? Another to check. Could you access the backend app service with appgw frontend public IP by your local web browser? – Nancy Apr 22 '20 at 06:54
  • Yes, the IP is 100% certainly correct. However, something strange happens; when I navigate to the appgw frontend IP, I'm redirected to the app service (URL in address bar changes to app service URL). Could this be what's causing the problem? – Dirk Apr 22 '20 at 06:58
  • Do you have a CNAME to your app gateway frontend? Or Is there any custom domain in the app service? – Nancy Apr 22 '20 at 07:02
  • Yes, I do have a CNAME to the appgw fronend. The app service does not use a custom domain – Dirk Apr 22 '20 at 07:04
  • Please check my edit, let me know if this works for you. – Nancy Apr 22 '20 at 07:43
  • Hi, @Dirk any update on this, me too having the same issue – Rishanthakumar May 30 '20 at 15:34