Azure website web applications and IP address whitelisting

MrFlinstone 476 Reputation points
2022-07-01T15:45:12.16+00:00

Some of my apps are not working from some customers site, I later discovered that this was because I am using the default websites for my app hosting that is the url is myapp.azurewebsites.net which was not whitelisted on the customers firewall. The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.

If i were to create CNAME record which has a CNAME pointer to the azure default web app for example myapp.mywebsite.com points to myapp.azurewebsites.net, will this get around the issue ? Or do I need to whitelist myapp.azurewebsites.net Or its IP address that is the IP address of myapp.azurewebsites.net ?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,524 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ajkuma 20,861 Reputation points Microsoft Employee
    2022-07-08T13:29:35.077+00:00

    To benefit the community, posting an answer that we discussed on SO thread. Thanks for cooperation, MrFlinstone-1451

    Firstly, by default, apps hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. So, typically, anyone with the URL without any specific local network/firewall/proxy restrictions can access the WebApp URL.

    As I understand, your WebApp is open to the public and only a few users (on a specific network), have trouble accessing the site. Plus, there are no access restrictions that you have implemented from the WebApp side.

    Just to highlight,

    Network administrators often deploy proxy servers, firewalls, or other devices, which can help secure and give control over how users access the internet.
    Rules designed to protect users can sometimes block or slow down legitimate business-related internet traffic. This traffic includes communications between you and Azure over the URLs
    listed here.

    Reference : Allow the Azure portal URLs on your firewall or proxy server

    So, on case-case basis, for the affected network, you may have them add appservice.azure.com (Azure App Services) in the allowed list.

    Or

    As your customer performed – “The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.” have them add the URLs to allowedlist.

    Or

    Since IP address of your WebApp (see the reasons for the change), the best route would be for you to set up a custom domain for your WebApp.

    Kindly check this doc - Tutorial: Map an existing custom DNS name to Azure App Service

    The CNAME maps to the app's default hostname instead, which is less susceptible to change. | | Wildcard | *.contoso.com | CNAME record. |

    -- As a side note (as indicated above), by setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. Which is the opposite of your scenario, just sharing as FYI, in case you wish to know about access restrictions from WebApp side. Set up Azure App Service access restrictions

    Additionally -

    Deployment slots are live apps with their own host names. Custom domain names are not swapped across slots. he slot's URL will be of the format sitename-slotname.azurewebsites.net. So, typically you should add both custom domains. See this doc for additional info.

    0 comments No comments