Home / server / Questions / 1046384
In Process
skrl
Asked: 2020-12-17 01:16:12 +0800 CST

Connect public web app with private web app

  • 772

I have 3 Azure webapps that need to be able to connect with each other.

One running the FE website - that needs to be accessed from the outside.

The other two i just running services that the FE site uses. There is no need for these to be open for public access and I would therefore like to restrict this.

What is the best way to restrict public acces to the two webapps, but still allow public acces to the FE site?

networking azure azure-web-apps

1 Answers

  1. To have the web app restricted to public access you should either deploy it in Azure vlan that has no public access and has a firewall between public and private Azure or just restrict the access on web server level. The latter doesn't prevent you from Internet attacks while firewall does.

    As the simplest solution you can restrict your web app on web server level wither by IP or by authentication.

    Restrict access by IP

    A possible option is to restrict access to your application by IP addresses. The IP addresses can be added as a allowed IP address within the web.config of your application. All other IP addresses will get a 403 Forbidden response from Azure.

    <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear />
           <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->
           <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->
      </ipSecurity>
    </security>
</system.webServer>

    Restrict access for specific Users

    Another option is to restrict access by enabling Authentication on the web application. This can be done for several Authentication Providers like: Azure Active Directory, Google, Facebook, Twitter and Microsoft. The below steps will help you with the configuration of Azure Active Directory as a authentication provider.

    1. In the Azure Portal navigate to the blade of the web application.
    2. Click on “Authentication/Authorization” and select “On”. Activating this option will give you several options for Authentication Providers. We will select Azure Active Directory.
    3. Because there isn’t a pre-configured application select the “Express” option. This option will register the Enterprise application within Azure Active Directory for us, or let you select a existing.
    4. Clicking “Save” on this blade will register the application within Azure Active Directory. Take a note that you need to have proper role in Azure AD to be able to register application (Global administrator or Cloud application administrator). If you don't have such you will need to ask for registration from tenant admin.
    5. To grant users access to the application open the Azure Active Directory blade within the Azure Portal and select Enterprise Applications.
    6. In the Enterprise Applications blade select “All Applications” to see a list of all applications that are registered within Azure Active Directory. From this list select the application. This will open the blade of the specific application.
    7. In the blade select “Users and Groups”. In the “Users and Groups” blade all users are shown that are granted access to the application. From here you can a add users to give them access.
    • 0