How to web app service networking restriction bet. group of web apps

Kuldeep Singh(OT) 20

Hi Team, am facing one issue where am unable to restrict incoming traffic to web app.

infrastructure i have

we have 6 web app

frontend-webapp1, frontend-webapp2, frontend-webapp3

backend-webapp1, backend-webapp2, backend-webapp3

Problem statement -

frontend-web app1 should communicate with backend-webapp1, but it when it try to communicate with other backend--app2 and 3 they should deny the request/traffic.

same traffic flow i want for other apps.

but am not able to achieve -

i have tried

inbound restriction rule

vnet integration and apply nsg on it, but its not working,

if i try endpoint - it is giving 403 ip forbidden error as from fronted request is coming.

any possible solution via involing any components or any feature of app service.

VenkateshDodda-MSFT 19,606 Reputation points Microsoft Employee

2024-05-15T08:58:04.9966667+00:00

@Kuldeep Singh(OT) Thanks for reaching out to Micrsoft Q&A, apologize for any inconvenience caused on this.

This would need one on one offline support, for deeper investigations and might need to engage product team as well and I will suggest you to open a support ticket.

If you are facing any issue while raising the support case I have reached out to your private message please help us with the requested information to check and assist you further.

3 answers

chad.carlton@gmail.com 0 Reputation points

2024-05-02T16:46:51.5833333+00:00

Enabling vnet integration and private endpoint does not remove the public/global dns entry. it only puts up a FW (causing the 403) for that name/IP address. This means that without additional things, your references to the app will use the public IP and be blocked.

You will need to make a private dns zone for the endpoint for your web app with the private IP address (the endpoint). You should name the zone "privatelink.azurewebsites.net", and add your apps and their private ips. You will also need to make sure that private dns zone is linked to the vnet that is calling your app and overrides the public dns entry for your web app.

what is in front of your web apps? we have a similar setup, but have an Azure AppGW in front , with a listener for of our web apps, and our webapps are 100% private, i.e. the Azure AppGW has a front end public IP, and also sits tis backend in our private vnet space. It accepts traffic off the internet via the public IP, matches it via listeners, and request routing rules, and then forwards on the traffic to the appropriate backend pools using the private Ip addresses.

These backend pools are our web apps, using private endpoints.

We have a private DNSZone that is linked to the appgw Vnet, where our App services are listed, with their private ip addresses.

Anywhere we want to reference the web apps, because they are 100% private we either need to use the public listener name and public IP with no private dns link (and go through the appgw), or have a link to that private dns zone which allows us to reference the apps privately.

We try to encourage only using the front end public IP, as that gives us a single place to manage configuration/monitor etc. but your needs might be different.
Please sign in to rate this answer.
Kuldeep Singh(OT) 20 Reputation points

2024-05-02T17:09:11.85+00:00

ok which application stack is your frontend and backend.

we are using angular in frontend and .net in backend,

in frontend we have appgw and in its backend pool we have these react angular apps which only accept traffic from ip from app gw,

and then api is hosting .net web app, traffic from frontend angular app to backend app flow via endpoint of backend app and we have created private dns zone as you mentioned, but backend api is throwing error 403 ip forbidden, frontend is not throwing any error.

chad.carlton@gmail.com 0 Reputation points

2024-05-02T20:16:25.98+00:00

do you have the following?

private dns zone

with angular app name listed with angular app vnet integration ingress IP listed

with .net app name listed with .net app vnet integration ingress IP listed.

The private dns zone needs to be vnet linked with the vnet the appgw is in AND the vnet the angular app is in.

Where something is calling your app (and you need to use the private endpoint IP) you will need to have the private dns zone linked to that source vnet.

Kuldeep Singh(OT) 20 Reputation points

2024-05-03T04:14:27.1766667+00:00

vnet is same and integrated.

chad.carlton@gmail.com 0 Reputation points

2024-05-03T14:00:37.3066667+00:00

I have this setup in a lab subscription,

1 vnet with 3 subnets

Subnet 1 for appgw PE

Subnet 2 for app svc PE (ingress into azure private app svc dmz environment)

Subnet 3 for app Svc egress on to private vnet (delegated to server farm)

each subnet has appropriate NSG's on it for its purpose.

appgw has front end (public IP assigned to it).

appgw has listener setup with a public DNS record pointing at the appgw public IP

Appgw has backend pool setup with the FQDN of the app service (xxx.azurewebsites.net)

private dns zone made with app svc name and app svc PE is linked to the vnet

Requests go through the Appgw, to the app service.

Directly trying to reference the app service name (xxx.azurewebsites.net) results in a blocked message.

Now if you want to have a second app svc, I would do that as 2 more subnets

1 subnet (subnet 4) for app svc PE (ingress on to the App svc)

1 subnet (subnet 5) for app svc egress on onto your vnet (delegated to serverfarm)

1 app service with vnet integration configured (subnet - 5 egress), and a PE (subnet 4).

1 private dns zone entry in the appservice private dns zone with this new app service name and PE IP

and then in your 1st appservice jsut make an HTTPS (webservice call) to the second app service. the 1st app service will do a DNS lookup (that will use the private dns zone linked), get the PE private IP of the second app service, and as long as the nsg's allow it, will access the second app service.

This assumes you haven't done anything additional to the app service configuration around authentication / etc..

Kuldeep Singh(OT) 20 Reputation points

2024-05-14T04:05:26.1866667+00:00

Hi have tried all this things but them my app only work when am in vpn, outside vpn it is not working.
Sign in to comment
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

How to web app service networking restriction bet. group of web apps

3 answers