I have an azure web app which I want to restrict the access to its URL and allow access exclusively through my application gateway. One of the option is to use "Access Restriction" but I would like to achieve this using the security group as will give me more freedom and customisation as I have a lot of app services.
Using terraform I configured the application gateway, app gateway subnet and the app service gateway as follow
resource "azurerm_virtual_network" "VNET" {
address_space = ["VNET-CIDR"]
location = var.location
name = "hri-prd-VNET"
resource_group_name = azurerm_resource_group.rg-hri-prd-eur-app-gate.name
}
resource "azurerm_subnet" "app-gate" {
name = "app-gateway-subnet"
resource_group_name = azurerm_resource_group.app-gate.name
virtual_network_name = azurerm_virtual_network.VNET.name
address_prefixes = ["SUBNET-CIDR"]
}
resource "azurerm_subnet" "app-service" {
name = "app-service-subnet"
resource_group_name = azurerm_resource_group.app-gate.name
virtual_network_name = azurerm_virtual_network.hri-prd-VNET.name
address_prefixes = ["APP_CIDR"]
delegation {
name = "app-service-delegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
while in my security group I configured the mapping as follow:
resource "azurerm_network_security_group" "app-service-sg" {
location = var.app-service-loc
name = "app-service-sg"
resource_group_name = azurerm_resource_group.app-service.name
security_rule {
access = "Allow"
direction = "Inbound"
name = "application_gateway_access"
priority = 100
protocol = "Tcp"
destination_port_range = "80"
source_port_range = "*"
source_address_prefixes = ["app-gate-CIDR"]
destination_address_prefixes = ["app-service-CIDR"]
}
}
resource "azurerm_subnet_network_security_group_association" "app-service-assoc" {
network_security_group_id = azurerm_network_security_group.app-service-sg.id
subnet_id = azurerm_subnet.app-service.id
}
The configuration runs without any issue with terraform, but when I hit the web app url directly I am able to access it.
What am I doing wrong at this stage? because I would like to be able to reach the web app url only though my application gateway.
Thank you so much for any help guys
You have just created networks and security groups. You need to use Application Gateway integration with service endpoints
Additionally you will need to make further configuration. Here is a diagram how your solution should look like.
https://docs.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints
Create App Service using Terraform code and add IP restrictions. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ip_restriction
resource "azurerm_app_service_plan" "example" {
name = "example-app-service-plan"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
site_config {
ip_restriction {
ip_address = "0.0.0.0"
}
}
Link App Service to your Network
resource "azurerm_app_service_virtual_network_swift_connection" "example" {
app_service_id = azurerm_app_service.example.id
subnet_id = azurerm_subnet.app-service.id
}
Create the access restriction using service endpoints. https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#set-a-service-endpoint-based-rule
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.