Anyone know of a guide on how to but APP GW infront of APIM, should be possible but cant figure out how (or not sure how to setup APP GW).
thx
I have exactly this same issue and seems there is not a way of having an exposed APIM to put in front of it one APP GW. What is pretty annoying.
The only way I find is to put APIM in a internal VNET https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Yes, you can actually forward traffic from Application Gateway to API Management with VNET configuration set to 'None'
Normally add your listener
Add your backend pool with the default FQDN (xxx.azure-api.net) of the API Management
Add a heath probe pointing to xxx.azure-api.net/status-0123456789abcdef
Add a HTTPS backend setting with Backend authentication certificate with Use for App service set 'yes' and a custom probe the aforementioned.
Add a rule combining all the above and a path based rule with just a '/'
This is all you need.
In order to expose management and developer portal through application gateway you need all the above but the health probes should point to xxx.portal.azure-api.net/signin and xxx.management.azure-api.net/ServiceStatus accordingly
Related
We have an existing solution where there is an Eventhub ingests real time event data from a source. We are using a SAS key for authentication and authorization. For additional security we have whitelisted the IPs of the source on the Eventhub. We also have a databricks instance within a VNET reading from this eventhub. The VNET has been whitelisted on the Eventhub as well.
We now have a new requirement to read off the Eventhub using Azure functions. The problem is since we have enabled IP whitelisting on the Eventhub, we need to whitelist the IPs of the functions as well and we can't figure out which Inbound IPs to whitelist on the Eventhub.
The documentation says that the inbound IPs remain mostly the same but can change for Consumption plan which is what we intend to use.
Does that mean the only other solution is that we need to whitelist the entire Azure region where our functions are hosted using the list in the link Azure service IPs?
Any other suggestions what we can try?
Does that mean the only other solution is that we need to whitelist
the entire Azure region where our functions are hosted? Any other
suggestions what we can try?
Yes, if you don't know the outbound ip address of azure function app, please add the ip region to the whitelist. You could get those here.
More realistic option: You can put your function app in a azure VNET and let the VNET to access the Event Hub. However, this requires a AppService Plan or Premium Consumption Plan Function.
I am completely new to Networking and setting up Domains. But recently I bought a domain (xyz-demos.com) and I want to use it as a domain to my Openshift App Routes. I did not find any proper guide on how to do it.
In Openshift I have 3 apps running with routes as,
appname-namespace.serverIP.nip.io
app1-namespace1.35.55.55.555.nip.io
app2-namespace2.35.55.55.555.nip.io
app3-namespace3.35.55.55.555.nip.io
any other app deployed in the future will just append its name,
appName-namespace.serverIP.nip.io
How do I map my custom domain so that all my Openshift apps use it? Something like, how to replace
35.55.55.555.nip.io with xyz-demos.com
appname-namespace.xyz-demos.com
app1-namespace1.xyz-demos.com
app2-namespace2.xyz-demos.com
app3-namespace3.xyz-demos.com
I am using a domain from GoDaddy and Openshift Origin 3.9.
Note - The reason why I am going with custom domains, is that
*.nip.io domains are restricted in my office network as Dynamic DNS and I do not know a way around it.
This is a kind of configuration what you need to do in the cluster creation time, I mean, in the inventory file of your cluster creation you need to configure the following fields:
openshift_master_cluster_hostname=ocp.xyz-demos.com
openshift_master_cluster_public_hostname=ocp.xyz-demos.com
openshift_master_default_subdomain=xyz-demos.com
Dont forget to configure the certs of your domain:
openshift_master_overwrite_named_certificates=True
openshift_master_named_certificates=[{"certfile": "/etc/ansible/certs/xyz-demos.com.crt", "keyfile": "/etc/ansible/certs/xyz-demos.com.key", "cafile": "/etc/ansible/certs/ca-xyz-demos.com.crt"}]
And force the Routers to add this new subdomain in the new Routes:
openshift_hosted_router_force_subdomain=xyz-demos.com
Thoses fields are responsible to expose your admin console and application routes.
Presently I have two app services on Azure
An Angular 7 application - mydomainUI.azurewebsites.net
A NET Core web API - mydomainAPI.azurewebsites.net
I also have two DNS records on godaddy:
An A record to the Azure IP address and a
text record # to mydomainUI.azurewebsites.net
Angular makes the API calls to the azure domain. Everything works fine but the home page load takes too long with all the Angular overhead. I would like to add a third app service: a fast loading MVC application that handles the home page ONLY. It would be something like mydomainPUBLIC.azurewebsites.net. All other requests should be handled by the Angular routing of the UI app service. The browser should only show mydomain.com for everything and not the azure domains.
Can this be done without sub-domains? What DNS record(s) would I have to add on godaddy? Any other considerations?
Thank you in advance
I don't think you can route to different web app service with the same domain unless you use subdomains. However, if you consider using path-based URL to access your different web apps, here are two options for you.
You can place multiple web apps in the same web app service with different Azure virtual directories. See here1 and here2. Then set the custom domains in your current web app service.
You could use Azure application gateway route to multiple web app services based on Path URL. URL Path-Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request.
You could follow this to configure App Service with Application Gateway. You need to
Create three backend pools and place each app service in the separate backend pool.
Create three HTTP Settings and Custom Probe with “Pick Hostname” switches enabled(Check Use App Service check box)
Create a basic backend listener and a path-based routing rule. Refer to this tutorial.
If you face any question, please let me know.
Hi does anyone know what I can use to whitelist IBM Cloud function locations? I wrote a function that makes rest-api calls to a server but the server needs to whitelist incoming requests. Eg. If I select "US South" as the location for my IBM Cloud function, then what ip/domain/hostname etc does that appear as so I can whitelist it?
Thank you.
I recommend to have a look at IBM Cloud's Statica service which allows you to access restricted resources behind firewalls and whitelisted services using a static IP regardless of where your app is running or the number of instances.
https://console.bluemix.net/catalog/services/statica
Does this help?
In my example, I want to build an application that sends users who join a network some kind of interface and manage this at a central station (possibly the router, or a central server). The new user's input to this interface will be sent back to the central station and controlled.
How plausible is this? Is sending something to a newly discovered IP realistic?
As long as you control the DNS server, you can send them to any web server you like.
Completely plausible, but you'll need a router with open source firmware and you'll need to program in the language of that source code and have the toolchain to build the binary for the firmware.
The only thing I can think of is NoCatAuth and friends. The user has to use their web browser, but most are accustomed to that.
Are you trying to FORCE the users to use your application (e.g. by selling these routers via an ISP), or are you expecting users to co-operate (e.g. inside a organisation's WAN)?
If the latter, it may be sufficient to set the DHCP server inside the router to serve the address of an HTTP proxy. That will get picked up by most OS/browsers. The proxy can then be used to control web-traffic - which pages they can see, and which ones are redirected to your own web-app.
If the user is considered an adversary, it would be trivial for them to override the proxy settings. In a LAN/WAN situation, you need to make sure nothing is connecting them to the outside world, except through the proxy.