Restrict Web App to use Azure Default domain

Rituparna Bhattacharya 20 Reputation points
2024-09-25T05:25:38.78+00:00

I have created an Azure Web App and put that behind Application Gateway & WAF V2. I have also added custom domain on the App Service.

Azure default domain - webapp.azurewebsite.net

Custom Domain - webapp.mycompany.com (This DNS mapped with Application Gateway Frontend IP).

Now I am trying to block access to Azure default domain (webapp.azurewebsite.net), but Custom Domain (webapp.mycompany.com) should work. I tried with App Service Networking access restriction and allowed only from Application gateway. But didn't work as expected (both default domain & custom domain getting blocked).

Is there anyway to block Public Access to Azure default domain only?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,779 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ajkuma 26,136 Reputation points Microsoft Employee
    2024-09-25T11:08:04.3033333+00:00

    Rituparna Bhattacharya, To better assist you on this, what is your application framework?

    Based on my understanding of your scenario description, that you have already tried combinations of access restrictions and URL rewrite rules by modifying the web.config file to include a rewrite rule that blocks or redirects requests to the default domain and also via Application Gateway. A rule to detect if the user has accessed the website using the Azure default domain and issue a HTTP 301 or 403. Kindly confirm if this true.

    Just to clarify, firstly, App Service support HTTPS on *.azurewebsites.net domain name and the certificate is provided and owned by Azure. By default, http://yourdomain.azurewebsites.net works even with custom domain added, and the site admins aware about the URL can access, but typically end users would not access this URL directly (unless explicitly shared).

    -Kindly validate if you have similar rule:

    <conditions>
    	<add input="{HTTP_HOST}" pattern="^(domainA.azurewebsites.net|domainB.azurewebsites.net)$" />
    </conditions>
    

    This rule may not work for the website behind a Proxy, Firewall or Application Gateways because the original host value may not be passed on to the WebApp service.

    -You may consider to implement the approach to prevent Search Engines from indexing the Azure Default Domain, the key methods include configuring custom domains, using robots.txt files, and setting up appropriate DNS records. please checkout this article (by Anton Pham) for a detailed steps.

    Refer similar discussion thread answered by me.

    Kindly let us know how it goes, I'll follow-up with you further.

    0 comments No comments

  2. TP 95,221 Reputation points
    2024-09-25T12:41:57.57+00:00

    Hi,

    Since you are using Application Gateway, the common way to accomplish your goal is to create Private Endpoint for your App Service in same Virtual Network as Application Gateway. Once you have done that, adjust your backend pool config (if needed), test to make sure it still works, then set Public network access to Disabled on your app service.

    To create Private Endpoint, navigate to Networking blade of your web app and click link:

    qna app service add private endpoint networking NOTE: Above shows Public network access as Disabled, but keep in mind you don't want to set this until private endpoint is in place and verified working with your application gateway.

    qna app service add private endpoint appgw1

    qna app service add private endpoint appgw2

    With the above configuration traffic will be able to reach your web app via Application Gateway since it can connect via the Private Endpoint, but traffic from public will not since you will have it Disabled. With your frontend listener set to accept only your custom domain you've effectively blocked public access via default domain (webapp.azurewebsites.net).

    If something is unclear and/or you run into an issue please add a comment.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.