Azure 应用程序服务在 Azure 应用程序网关后面
[英]Azure App Service behind Azure Application Gateway
问题描述
I'm trying to serve multiple Azure App Services behind an Application Gateway.
我正在尝试在应用程序网关后面提供多个 Azure 应用程序服务。 These services should only be reachable through the application gateway endpoint.这些服务应该只能通过应用程序网关端点访问。 To achieve this, I've done the following:为了实现这一点,我做了以下事情:
- Added a VNet添加了一个 VNet
- Added a subnet, and added all app services to it添加了一个子网,并向其中添加了所有应用服务
- Added an application gateway with appropriate rules for pointing to the app service添加了具有适当规则的应用程序网关以指向应用程序服务
- Added access restrictions to the app service to only allow the subnet of the application gateway, and the public IP of the application gateway增加对应用服务的访问限制,只允许应用网关的子网,以及应用网关的公共IP
The health probe of the application gateway indicates the service is healthy (and thus reachable), but when I try to make a request to the service trough the gateway using Postman, I get a 403 IP forbidden error.应用程序网关的健康探测表明服务是健康的(因此可以访问),但是当我尝试使用 Postman 通过网关向服务发出请求时,我收到403 IP forbidden错误。 However, when I add my local IP as an allowed IP address to the app service, the request comes through just fine但是,当我将本地 IP 作为允许的 IP 地址添加到应用程序服务时,请求就可以通过了
From what I've read online, adding the public IP of the gateway should be sufficient for allowing access through the gateway, but it seems that requests from my local machine are blocked.从我在网上阅读的内容来看,添加网关的公共 IP 应该足以允许通过网关进行访问,但似乎来自我本地计算机的请求被阻止了。 Am I getting something fundamentally wrong here?我在这里有什么根本错误吗?
Edit: I also tried assigning a front-end private IP address to the gateway and adding access for that in the app service, but that also did not work编辑:我还尝试将前端私有 IP 地址分配给网关并在应用程序服务中添加访问权限,但这也不起作用
Edit 2: My configuration编辑2:我的配置
Access restrictions for app service: access restrictions应用服务的访问限制:访问限制
Backend pool: Backend pool后端池:后端池
HTTP settings: HTTP settings HTTP 设置: HTTP 设置
1 个解决方案
解决方案1
0 2020-04-21 08:05:04
From your description "Added a subnet, and added all app services to it", I assume that you are meaning integrating app with Azure VNet or enable the service endpoint with Microsoft.Web for the subnet .根据您的描述“添加了一个子网,并向其中添加了所有应用程序服务”,我假设您的意思是将应用程序与 Azure VNet 集成或使用 Microsoft.Web 为子网启用服务端点。 If so, you could remove them.如果是这样,您可以删除它们。 Both are useless in this scenario.在这种情况下,两者都是无用的。
To restrict the access through the gateway, you only need to add the frontend IP address to the Azure App Service access restrictions.通过网关限制访问,只需要在Azure App Service访问限制中添加前端IP地址即可。 For more details, you could refer to this blog https://www.cloudmanav.com/azure/restricting-appservice-accessible-via-appgateway/#有关更多详细信息,您可以参考此博客https://www.cloudmanav.com/azure/restricting-appservice-accessible-via-appgateway/#
If you have NSG associated with the subnets, you could follow the prerequisites here https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview.network-security-groups-on-the-application-gateway-subnet如果您有与子网关联的 NSG,则可以遵循此处的先决条件https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview.network-security-groups-on-the-application -网关子网
Edit编辑
You may have redirection configured on your app service or have Azure Active Directory authentication, which causes the redirection.您可能在您的应用服务上配置了重定向,或者有 Azure Active Directory 身份验证,这会导致重定向。 So when redirection happens, the client makes the request directly to app service URL Path contoso.azurewebsites.net/xxx instead of going through the application gateway URL path contoso.com/xxx .因此,当发生重定向时,客户端直接向应用服务 URL 路径contoso.azurewebsites.net/xxx发出请求,而不是通过应用程序网关 URL 路径contoso.com/xxx 。
To fix it, you could use a custom domain name to pass the same host name that the application gateway receives to the app service as well, instead of doing a host override.要修复它,您可以使用自定义域名将应用程序网关接收到的相同主机名也传递给应用程序服务,而不是进行主机覆盖。 Get more details about this solution here . 在此处获取有关此解决方案的更多详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.