I'm not sure if I'm missing something simple, or if I'm trying to do the impossible.
I have a Tomcat site deployed on Azure using the Web+Mobile App Services model. This is NOT a VM. I would like to be able to apply firewall rules (network security group) to this App Service.
Here is what I have done within my Resource Group:
- Taken my existing App Service (Tomcat) and upgraded it to S1 machine size.
- Created a VNET with default settings. This included creating a subnet named "default". All address space suggestions were left at Azure default prompts.
- Used the Network settings blade on the App Service to select the VNET I just created.
- Created a Network Security Group - added an incoming rule to deny HTTP port 80 from ANY source.
- Associated NSG created above with the default subnet
- Waited for everything to propogate
- Tested hitting the App Service on HTTP Port 80, and got results returned.
This was not what I was hoping to see. To debug this I tested:
- Create a Tomcat Virtual Machine
- On the VM Network blade, associated the VM with the "default" subnet, and specifically removed the Network Security Group from the VM (leaving it on the subnet - just making sure it's not explicitly attached to the VM)
- Tested HTTP access to the VM - traffic rejected
- Tested HTTP access to the App Service - traffic still permitted
- Changed the Network Security Group rule to allow
- Tested HTTP access to the VM and traffic permitted
How do I get the App Service to use the Network Security Group the way the Virtual Machine does? Am I missing somewhere how to configure the subnet on the App Service? Is there another way to associate the NSG with the App Service?
I don't have budget/need to build an ASE. All I need to do is put a firewall in front of my App Service to block out the ports I'm not wanting to see used.
Thanks.
