Traffic manager with end point for Web app slot - powershell

I was creating a Traffic Manager profile with end points for Dev and QA slots for Web Apps and wondered that is it not possible?
How can I create Traffic Manager endpoints for Dev and QA slots as we do it for production?

Same way. Just select App Service Slot.
You can also use Powershell to enable TM for any external endpoint if portal interface does not allow you to do something you need.
Azure Traffic Manager External Endpoints and Weighted Round Robin via PowerShell

Related

How to limit access in Cloud Foundry

I am new to Cloud Foundry.
Is there any way that only specific users can view and update an app deployed in Cloud Foundry?
1.I deployed an app in Cloud Foundry using “cf push”command.
2.After entering “cf push “command I’ve got an message below.
Using manifest file /home/stevemar/node-hello-world/manifest.yml
enter Creating app node-hello-world-example...
name: node-hello-world-example
requested state: started
routes: {route-information}
last uploaded: Mon 14 Sep 13:46:54 UTC 2020
stack: cflinuxfs3
buildpacks: sdk-for-nodejs
type: web
instances: 1/1
memory usage: 256M
3.Using the {route-information} above,I can see the app deployed via browser entering below URL.
https://{route-information}
By this way ,anyone can see app from browser, but I don’t want that to be seen by everyone and limit access to specific user.
I heard that this global IP will be allocated to {route-information} by default.
Is there any way to limit access to only between specific users?
(For example,is there any function like “private registry” at Kubernetes in Cloud Foundry which is not open to public)
Since I am using Cloud Foundry in IBM Cloud it would be better if there is solution using IBM Cloud.
I’ve already granted cloud foundry role to the other user.
Thank you.
The CloudFoundry platform itself does not provide any access controls for applications. If you assign a public route to your application, where the DNS is publicly resolvable and the foundation is on the public Internet, like IBM Bluemix, then anyone can access your app.
There's a number of things you can do to limit access, but they do require some work on your part.
Use a private DNS. You can add any domain you want to Cloud Foundry, even ones that don't resolve. That means you could add my-cool-domain.local which does not resolve anywhere. You could then add a record to /etc/hosts for this domain or perhaps run DNS on your local network to resolve this DNS domain and direct traffic to the CloudFoundry.
With this setup, most people cannot access your application because the DNS domain for the route to your application does not resolve anywhere. It's important to understand that this isn't really security, but obscurity. It would stop most traffic from making it to your app, but if someone knew the domain, they could add their own /etc/hosts header or send fake Host headers to access your application.
This type of setup can work well if you have light security requirements like you just want to hide something while you work on it, or it can work well paired with other options below.
You can set up access controls in your application. Many application servers & frameworks can do things like restrict access by IP address or require user access (Basic auth is easy and it is OK, if you're only allowing HTTPS traffic to your app which you should always do anyway).
You can use OAuth2 to secure apps too. Again, many app servers & frameworks have support for this and make it relatively simple to secure your apps. If you don't have a corporate OAuth2 solution, there are public providers you can use. Exactly how you do OAuth2 in your app is beyond the scope of this question, but there's plenty of material out there on how to do this. Google information for your application language/framework of choice.
You could set up an access Gateway. This would be an application that's job is to proxy traffic to other applications on the foundation. The Gateway could be something like Nginx, Apache HTTPD, or Spring Cloud Gateway. The idea is that the gateway would be publicly accessible, and would almost certainly apply access controls/restrictions (see #2, many of these proxies have access control options that only take a few lines of config). Your actual applications would not be deployed publicly though. When you deploy your actual applications, they would only be on the internal Cloud Foundry domain.
CloudFoundry has local domains, often apps.internal (run cf domains to see if that shows up), which you can use to easily route traffic across the internal container-to-container network. Using this domain and the C2C network, you can have apps deployed to CF that are not accessible to the public Internet, except through your Gateway.
Again, how you configure this exactly is outside the scope of this question, but check out the docs I linked to for info on using the C2C network & internal routes. Then check out your proxy server of choice's documentation.

best way to configure NSG rule for mobile app client and Service fabric hosted API

We have following structure for my application. currently we have used Any for both source and destination (on port 3389) while defining NSG rule for our Service Fabric to allow calls from mobile app. But our security team has raised concerns on Any-Any rule. Is there any way to optimize this?
Note: our mobile app is public and anyone can download from app store.
Any to Any rule open SF for attach really so you should limit the IP from your traffic manager given your current model.
Azure API management already have build in support for Service Fabric so my suggestion is to remove the traffic manager between then API management and SF. Then you can do is to limit the traffic to SF only from the API management which is much easier.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-api-management-overview
Authentication requirement you can delegate that to the API management ie validate JWT token

Integrate Azure App Service with App Service Environment

We have an Azure App Service Environment, which resides in a subnet in a vnet configured with both an expressroute gateway and a VPN gateway. When trying to connect an AppService outside of the ASE to the Vnet, as described here: https://learn.microsoft.com/nb-no/azure/app-service/web-sites-integrate-with-vnet, we are not able to connect, because it says the gateway is not a VPN gateway.
I suspect the GUI only picks the first gw in the list when it tries to figure out what type of gw it is.
Because, we do have a vpn gateway too:
I have a couple of questions:
Is there a way to get the Portal to use the correct gateway when
trying to connect from the AppService to the Vnet?
If not, is there a way to do this from Powershell with the AzureRm CmdLets?
Currently, it is not possible. It is a design behavior. Integrate web app with an Azure Virtual Network does not support Vnet that has an ExperssRoute Gateway. If ExperssRoute is in it, you will get the error log.
You could check the link you provided.
The VNet Integration feature does not integrate an app with a VNet
that has an ExpressRoute Gateway. Even if the ExpressRoute Gateway is
configured in coexistence mode the VNet Integration does not work. If
you need to access resources through an ExpressRoute connection, then
you can use an App Service Environment, which runs in your VNet.
Update:
If you need this function, you could vote up this feedback.

Restrict Azure Web API to Just API Manager

I am deploying RESTful API's in Azure and protecting them with teh Azure API Manager. However, I've not been able to figure out how to restrict calls to the actual API to block requests going around the API manager. Is there a way in the web.config or something to restrict IP's, domain names.... on teh .net web api?
You can whitelist the IPs in c# code. Check below link for code changes,
https://weblogs.asp.net/senthil/restrict-ip-address-in-asp-net-web-api
You can get the static IP address of APIM in overview section. But you have to consider below points,
In all tiers of API Management, the public IP address (VIP) of the API Management tenant is static for the lifetime of the tenant, with some exceptions. The IP address changes in these circumstances:
The service is deleted and then re-created.
The service subscription is suspended or warned (for example, for
nonpayment) and then reinstated.
You add or remove Azure Virtual Network (you can use Virtual Network
only at the Developer and Premium tier).
For multi-region deployments, the regional address changes if the region is vacated and then reinstated (you can use multi-region deployment only at the Premium tier).
Premium tier tenants that are configured for multi-region deployment are assigned one public IP address per region.
You can get your IP address (or addresses, in a multi-region deployment) on the tenant page in the Azure portal.
Yes, you can configure call limits and quota policies through the API Management Portal, including inbound and outbound policies. Below is the policy template, you can choose what you want. Here Restrict caller IPs would meet your requirements.
For detailed configuration, please check this article and follow the steps.

Is it possible to use the Single Sign On Service (currently only available on US) from an app deployed on UK?

I get that it wont be possible to bind the service and therefore not use the VCAP_SERVICES, and credentials would need to be managed in another way.
Since the communication would go via the internet, I guess the question is really:
Does the SSO service have an API that can be reached from outside of Bluemix?
Yes the SSO service can be reached from outside Bluemix and therefore also from apps deployed on UK.
However, to retrieve the credentials you need to create an SSO service on US and then bind an app to it and inspect the VCAP_SERVICES. This is due to how Cloud Foundry works. Read more here