Azure webapp security group access
Question
I have an azure web app which I want to restrict the access to its URL and allow access exclusively through my application gateway. One of the option is to use "Access Restriction" but I would like to achieve this using the security group as will give me more freedom and customisation as I have a lot of app services.
Using terraform I configured the application gateway, app gateway subnet and the app service gateway as follow
resource "azurerm_virtual_network" "VNET" {
address_space = ["VNET-CIDR"]
location = var.location
name = "hri-prd-VNET"
resource_group_name = azurerm_resource_group.rg-hri-prd-eur-app-gate.name
}
resource "azurerm_subnet" "app-gate" {
name = "app-gateway-subnet"
resource_group_name = azurerm_resource_group.app-gate.name
virtual_network_name = azurerm_virtual_network.VNET.name
address_prefixes = ["SUBNET-CIDR"]
}
resource "azurerm_subnet" "app-service" {
name = "app-service-subnet"
resource_group_name = azurerm_resource_group.app-gate.name
virtual_network_name = azurerm_virtual_network.hri-prd-VNET.name
address_prefixes = ["APP_CIDR"]
delegation {
name = "app-service-delegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
while in my security group I configured the mapping as follow:
resource "azurerm_network_security_group" "app-service-sg" {
location = var.app-service-loc
name = "app-service-sg"
resource_group_name = azurerm_resource_group.app-service.name
security_rule {
access = "Allow"
direction = "Inbound"
name = "application_gateway_access"
priority = 100
protocol = "Tcp"
destination_port_range = "80"
source_port_range = "*"
source_address_prefixes = ["app-gate-CIDR"]
destination_address_prefixes = ["app-service-CIDR"]
}
}
resource "azurerm_subnet_network_security_group_association" "app-service-assoc" {
network_security_group_id = azurerm_network_security_group.app-service-sg.id
subnet_id = azurerm_subnet.app-service.id
}
The configuration runs without any issue with terraform, but when I hit the web app url directly I am able to access it.
What am I doing wrong at this stage? because I would like to be able to reach the web app url only though my application gateway.
Thank you so much for any help guys
1 answers
solution1
1 2021-05-24 13:50:46
You have just created networks and security groups. You need to use Application Gateway integration with service endpoints
Additionally you will need to make further configuration. Here is a diagram how your solution should look like.
https://docs.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints
Create App Service using Terraform code and add IP restrictions. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ip_restriction
resource "azurerm_app_service_plan" "example" {
name = "example-app-service-plan"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
site_config {
ip_restriction {
ip_address = "0.0.0.0"
}
}
Link App Service to your Network
resource "azurerm_app_service_virtual_network_swift_connection" "example" {
app_service_id = azurerm_app_service.example.id
subnet_id = azurerm_subnet.app-service.id
}
Create the access restriction using service endpoints. https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#set-a-service-endpoint-based-rule
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.