How to access azure spring app in a private vnet through IP instead of FQDN

Kevin 0

I am having trouble understanding what I need to do with my system. I have a java spring boot service hosted on azure spring app. It is deployed to a private vnet. I was able to link a private dns, create a dns record and assign the FQDN with the given IP. I was able to access it through a jump box on the same vnet. Now I am trying to access this spring app service through another cloud provider by using a vpn tunnel. The issue is the vpn tunnel requires an IP to be passed through. How do I access my spring app service using an IP which is reachable through the vpn tunnel? Or is there a way to configure my other cloud provider to call Azure using the private FQDN.

Silvia Wibowo 3,011 Reputation points Microsoft Employee

2024-04-03T05:42:07.8533333+00:00
Hi @Kevin , please clarify:

From your jump box on the same vnet, can you access your java spring app using IP address?

From your other cloud provider using VPN tunnel, can you access your java spring app using IP address?

There are different areas of your issue:

FQDN is usually used for SSL certificate (if you use HTTPS),

IP address can work if routing is set correctly,

an entry in local hosts file (/etc/hosts if Linux, or C:\Windows\System32\drivers\etc\Hosts if Windows) may be an easy workaround rather than setting up Private DNS between different clouds.
Kevin 0 Reputation points

2024-04-03T17:00:51.8166667+00:00
From your jump box on the same vnet, can you access your java spring app using IP address? No, I am unable to. It returns a
<center><h1>404 Not Found</h1></center> <hr><center>nginx</center>

From your other cloud provider using VPN tunnel, can you access your java spring app using IP address? No. However, I am able to access a service that we hosted on a VM (same jump box as mentioned above) which is in the same VNET.
Silvia Wibowo 3,011 Reputation points Microsoft Employee

2024-04-03T20:55:51.7+00:00

Hi @Kevin , if your other cloud can access jump box, then your network setup with VPN is working fine. I'd suggest that you troubleshoot application configuration - would it be possible to provide HTTP endpoint instead of HTTPS? Once your jump box can access java spring app using IP address, then try accessing java spring app from other cloud.

Another item to try is to set an entry in local hosts file (/etc/hosts if Linux, or C:\Windows\System32\drivers\etc\Hosts if Windows) to map local domain name to the private IP address.
Kevin 0 Reputation points

2024-04-03T21:04:36.42+00:00

How do i create an HTTP endpoint, by default when I click on "assign endpoint" within azure spring apps, it is assigning an endpoint with: https://{service-name}.private.azuremicroservices.io

Also, how do I create an entry in local hosts file if the VM is managed by azure spring apps?
Kevin 0 Reputation points

2024-04-03T21:07:51.9966667+00:00

How do I create an HTTP endpoint instead of HTTPS? By default, azure spring app is assigning the value of https://{servicename}.private.azuremicroservices.io when I click on "assign endpoint"

Also, how do I create an entry in local hosts file (/etc/hosts) if the VM is managed by Azure Spring Apps?
Silvia Wibowo 3,011 Reputation points Microsoft Employee

2024-04-03T22:19:51.9833333+00:00

The local entry is on the client (VM in another cloud), a line like this (adjust the name and the private IP address) inside the /etc/hosts file:

10.0.1.4 {servicename}.private.azuremicroservices.io

Once that entry is in place, try to access your java spring app from that client's browser https://{servicename}.private.azuremicroservices.io
Silvia Wibowo 3,011 Reputation points Microsoft Employee

2024-04-05T00:31:47.1266667+00:00

Hi @Kevin ,

Azure Spring Apps allow you to set a custom domain and there's a setting "Https only = Yes/No" that you can set. If you set "Https only = No", then you can access the Apps using HTTP using either private IP Address or private FQDN (if from VM in the same vNet).
Silvia Wibowo 3,011 Reputation points Microsoft Employee

2024-04-07T21:59:37.1333333+00:00
Hi @Kevin , routing is always based on IP addresses or CIDR. VPN tunnel using IP address as routing is not a valid reason on why you need to access your Spring Apps using HTTP. A domain name (FQDN or any hostname) needs to be translated/resolved to an IP address. There are 2 options you can pursue to solve your issue:

Keep using domain name, with HTTPS -> you need to figure out how to set domain name translation in the other cloud, using private DNS or local hosts file.

Troubleshoot accessing your Spring Apps using IP address, with HTTP. If you've set "HTTPS only" option as disabled, you should be able to access your Spring Apps using HTTP, either using the domain name or private IP address.

I'd suggest option #1 as much as possible, as accessing using HTTP is not recommended, as it is not secure: there is no encryption between client and server.

1 answer

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-04-04T10:10:28.2633333+00:00
@Kevin ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to access Azure spring app via a Private EndPoint from a third party cloud connected to the VNET.

Please note,

HTTPS requires that there is a Host Name available.

So, directly accessing the Service via just the IP, such as https://10.0.1.4 will not work.

Work around stated by Silvia Wibowo ,

Is to make your source resolve {service-name}.private.azuremicroservices.io to 10.0.1.4

Now, since the source is a third party cloud provider, we cannot comment on how you may achieve this.

In case your source is a Windows VM in the third party cloud, you can follow the steps mentioned below.

If this is a Linux VM, you can search for the host file location in the respective DistrOS's forums.

If this is a PaaS Service in the third party cloud provider, please work with the cloud provider on how to change the DNS/Host configuration of this specific PaaS Service.

To edit Host files in Windows,

Press the Windows key and search for Notepad.

Once Notepad is available, right-click and select Run as administrator.

In your Notepad, Click File > Open and search for the following file: c:\Windows\System32\Drivers\etc\hosts

Add an entry *10.0.1.4 {service-name}.private.azuremicroservices.io *

Click File > Save to save your changes.

Hope this helps.

Cheers,

Kapil
Please sign in to rate this answer.
Kevin 0 Reputation points

2024-04-04T19:38:17.0533333+00:00

Got it. I will see if I can work with the cloud provider to see how we can change the DNS/Host configuration of the PaaS service.

I am still wondering how I can access the Azure Spring App service using the jump box on the same vnet by IP. I mentioned before https is automatically configured when assigning a private endpoint and when i try to access the IP directly through HTTP it throws a
<center><h1>404 Not Found</h1></center> <hr><center>nginx</center>

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-04-05T06:34:49.97+00:00

Sure @Kevin .

May I know if there are any specific reason you would like to access the PaaS Service using IP instead of FQDN?

As a rule of thumb, this is not recommended.

We would recommend you to use FQDN while accessing any PaaS Services, even if it is integrated into a VNET (or uses a Private EndPoint)

For a VM (or any other resource connected in the VNET),

You have to make use of Private DNS Zones.

The entire process is documented step by step in : Add a DNS for the IP

Create Private DNS zone named private.azuremicroservices.io

Link is to the virtual network where the source VM resides

In the DNS Zone, Create DNS record
Name - *
Type - A
IP address - <PrivateIPAddress>

Make sure you assign a private FQDN for your Azure Spring Apps application in the virtual network

If you are still interested in using a Private IP and have a custom domain, you can follow the steps described by Silvia Wibowo and let us know how it goes.

Cheers,

Kapil

Kevin 0 Reputation points

2024-04-05T15:09:12.25+00:00

@KapilAnanth-MSFT the reason we want to access via IP is because the cloud provider we are trying to connect from through the VPN tunnel only allows routing based on IP. We are changing route rules in order to configure traffic through the VPN tunnel. There does not seem a way to configure by a domain name.

@Silvia Wibowo I already have this configured to not enable https. I am still getting the same error when I try to access the azure spring app service from the jump box on the same vnet. I tried both the vnet injection endpoint ip and also the domain without https.

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-04-08T11:34:43.2733333+00:00

@Kevin ,

In that case, I take it that FQDN is required while accessing the Spring App, even via Private EndPoint.

@Silvia Wibowo 's observation is correct. Routing happens with IP Address and not with FQDN.

So, In an ideal situation, DNS should resolve the FQDN to IP

Post this, based on this IP, routing would take place.

Both of the steps are mutually exclusive, and while you send the HTTP request to the IP Address, the FQDN is added as Host header - which appears to be mandatory for Spring Apps to work.

As suggested, please work with the Cloud provider to configure the DNS resolution.- Can you confirm if accessing the service from the same VNET as PE works or not? (using the FQDN)

Cheers,

Kapil

Kevin 0 Reputation points

2024-04-08T15:14:33.37+00:00

Thank you all for the suggestions. Let me try to work with the cloud provider to resolve the FQDN to a an IP. Just a quick question, if DNS resolves the FQDN to an IP, how is it resolved back to a FQDN within Azure?

So just to summarize, this is the ideal network configuration flow:

VM calls FQDN (Third party cloud provider) -> FQDN resolves to the IP for azure spring app service - e.g. 10.0.1.6 (Third party cloud provider) -> Route to VPN tunnel targeting 10.0.1.6 (Third party cloud provider) -> How does IP address resolve to FQDN here? (Azure) -> FQDN resolves to IP address via private DNS (Azure) -> IP Address routes to Azure Spring App Service (Azure)

@KapilAnanth-MSFT I am able to access the service from the same VNET as PE (using FQDN)

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-04-08T18:02:40.34+00:00

@Kevin ,

Thanks for the info.

Wrt, "how is it resolved back to a FQDN within Azure?"

Can you please elaborate

There is no requirement for a "resolved back"

To answer, "How does IP address resolve to FQDN here?"

It does not.

And it does not need to.

The connection process is as follows:

First, your source does a DNS lookup and learns the IP Address of the FQDN.
For e.g., www.fabrikam.com ----> 1.2.3.4

That concludes the DNS Part, no more resolutions.

Then a TCP Handshake is established just with the IP Address to the target.

Once this is done, we enter the HTTP/HTTPS handshake where your source sends a HTTP Host header with the value "www.fabrikam.com" (which the source knew from step1) and note that the destination is still towards an IP Address.

This HTTP Header is expected by the destination (your PaaS Service), and that's why when you try to connect directly via IP - it fails.

Hope this adds some clarity.

Cheers,

Kapil

Kevin 0 Reputation points

2024-04-10T15:47:30.07+00:00

Yes, this makes sense. Thank you so much @KapilAnanth-MSFT

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-04-10T15:57:27.71+00:00

@Kevin ,

You are most welcome. Glad we could be of service.

I have summarized our comments and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
Sign in to comment