Integrate Azure App Service with App Service Environment - powershell

We have an Azure App Service Environment, which resides in a subnet in a vnet configured with both an expressroute gateway and a VPN gateway. When trying to connect an AppService outside of the ASE to the Vnet, as described here: https://learn.microsoft.com/nb-no/azure/app-service/web-sites-integrate-with-vnet, we are not able to connect, because it says the gateway is not a VPN gateway.
I suspect the GUI only picks the first gw in the list when it tries to figure out what type of gw it is.
Because, we do have a vpn gateway too:
I have a couple of questions:
Is there a way to get the Portal to use the correct gateway when
trying to connect from the AppService to the Vnet?
If not, is there a way to do this from Powershell with the AzureRm CmdLets?

Currently, it is not possible. It is a design behavior. Integrate web app with an Azure Virtual Network does not support Vnet that has an ExperssRoute Gateway. If ExperssRoute is in it, you will get the error log.
You could check the link you provided.
The VNet Integration feature does not integrate an app with a VNet
that has an ExpressRoute Gateway. Even if the ExpressRoute Gateway is
configured in coexistence mode the VNet Integration does not work. If
you need to access resources through an ExpressRoute connection, then
you can use an App Service Environment, which runs in your VNet.
Update:
If you need this function, you could vote up this feedback.

Related

IBM Cloud: Kubernetes add-on ALB Oauth2 Proxy for App ID integration fails to start

I deployed a containerized app to my IBM Cloud Kubernetes service in a VPC. The app uses App ID for authentication. The deployment pipeline ran successfully. The app seems ready, but when accessing its URL it gives an internal server error (500 status code).
From the Kubernetes dashboard I found that the ALB Oauth Proxy add-on is failing. It is deployed, but does not start.
The deployment seems to fail in the health checks (ping not successful). From the POD logs I found the following as last (and only) entry:
[provider.go:55] Performing OIDC Discovery...
Else, there is not much. Any advise?
Guessing from the missing logs and the failing pings, it seemed related to some network setup. Checking the VPC itself, I found that there was no Public Gateway attached to the subnet. Enabling it allowed outbound traffic. The oauth proxy could contact the App ID instance. The app is working as expected now.
Make sure that the VPC subnets allow outbound traffic and have a Public Gateway enabled.

Error: Error: Failed to deploy web package to App Service. Error: tunneling socket could not be established, statusCode=503

We are getting below error on Azure devops pipeline via Self hosted agent release when Azure web app is on Private network. No Error seen when the web app on azure is on Public.
Error: Error: Failed to deploy web package to App Service. Error: tunneling socket could not be established, statusCode=503
Made Azure web app to private and error comes. Moved to public no error seen.
Seems that the self-hosted agent cannot connect to the Azure app service. It seems to be a network issue.
The agent needs a way to connect to the App service directly. To ensure the connectivity is ok, we need to make sure the self-hosted agent is not blocked by NSG rules or App Service networking Access Restrictions. Just whitelist the agent machine in your rules.
The task using Kudu REST API to deploy the application. We need to check the following App Service networking Access Restrictions to allow deployment from a specific agent:
Make sure the REST site “xxx.scm.azurewebsites.net” have Allow All, i.e. no restriction.
Also, the option “Same restrictions as ***.azurewebsites.net” should be unchecked.
If you are using Private Endpoints for Azure Web App, you must create two records in your Azure DNS private zone or your custom DNS server. Kindly check DNS for more details.
Besides, when the proxy is set up, Web API calls and SCM hosts are bypassed by the user. The same has to be configured in the Azure pipelines agent explicitly. To bypass specific hosts, follow the steps here and restart the agent.
1.Allow access to Public removed.
2.Created Pvt endpoints within same Vnet and Subnet of Target VM
3.Created new file .proxybypass in self hosted agent folder C:\Username\Agent
4.Added below entries in .proxybypass to allow and communicate bypassing corporate proxy
https://MyWebappname.azurewebsites.net
http://MyWebappname.azurewebsites.net
enter code here

Can't connect from azure resource to Azure database for postgres server

I can't connect from azure resource (aks node) to Azure postgres using pgcli. I also tried directly from node and got the same error message:
FATAL: Client from Azure Virtual Networks is not allowed to access the server. Please make sure your Virtual Network is correctly configured.
Firewall rules in the resource are on:
Allow access to Azure services: ON
Running the same pgcli login command on my computer and on another azure resource seems to work fine.
Adding Firewall rules to all IPs return the same error.
Curl from the problematic server (host:5432) returns a reply, so it's not an outbound issue.
What does the error mean?
A VM where the connection originates from is deployed to a virtual network subnet where Microsoft.Sql service endpoint is turned on. Per documentation:
If Microsoft.Sql is enabled in a subnet, it indicates that you only want to use VNet rules to connect. Non-VNet firewall rules of resources in that subnet will not work.
For connection to succeed there must be a VNet rule added on PostgreSQL side. At the time the question was asked VNet Service Endpoints for Azure Database for PostgreSQL just got to public preview so I assume it might not have been available for the OP.
Solution
As of November 2020, Service Endpoints for Postgres is GA and instead of disabling the service endpoint one can add a missing VNet rule to the PostgreSQL server instance and reference the service endpoint-enabled subnet. It can be done via Portal or Azure CLI
Apparently, the vm is part of a vnet that a service endpoint tag Microsoft.sql was enabled.
I found this answer. To solve the problem I disabled the service endpoint and added the public IP to the Connection Security section.
I encountered the same problem.
All I did was to switch Allow access to Azure services to ON .

Traffic manager with end point for Web app slot

I was creating a Traffic Manager profile with end points for Dev and QA slots for Web Apps and wondered that is it not possible?
How can I create Traffic Manager endpoints for Dev and QA slots as we do it for production?
Same way. Just select App Service Slot.
You can also use Powershell to enable TM for any external endpoint if portal interface does not allow you to do something you need.
Azure Traffic Manager External Endpoints and Weighted Round Robin via PowerShell

How to expose existing REST API through Azure Service Bus (or through something else)

I have an existing on-premise REST API from an external vendor. I'd like to expose this API unmodified to the outside world through an Azure website. So I have customers that run this API on-premise and I'm developing a PaaS/SaaS app that should access these on-premise API's.
I also have a client SDK from the external vendor that calls the API. Works without issues when running on-premise. However, now I want to use this SDK from my Azure website.
How do I route REST service calls generated by the SDK to the on-premise API? I thought about using Azure Service Bus WebHttpRelayBinding but this seems to require a WCF contract which I do not have.
In other words: is there a way to send unmodified HTTP traffic to an on-premise system from Azure (through Azure Service Bus or by any other means)?
If you want to access an On-Premise service from the Azure service/websites what you need is a Hybrid Connection.
For that you will need a BizTalk service to redirect the trafic to your on-prem service.
Here are the steps to how to setup a Hybrid connection:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-hybrid-connection-get-started/