Azure ASE v2 - restrict network access for app services

0
votes

I have an ILB ASE v2 with WAF (public IP). The ASE has its subnet where all web apps reside. For obvious security reasons I think I need to lock down access from Internet and leave only HTTPS open. But when I do that I can't see app services info in the portal. So what should my NSG look like for this subnet?

Also, WAF has its own subnet. It doesn't have NSG assigned either. Should it have one?

2
azureazure-virtual-networkazure-application-gatewayazure-ase
What's the specific error message? Do you follow this blog to setup ILB ASE+WAF? You want toleave only HTTPS open., How do you configure this for HTTPS? It's an HTTPS listener? - Nancy Xiong
No message, the portal just can't load anything related to those app services. No, I follow official docs. Let me try something unofficial now... yes, the listener is HTTPS only. So are app services. - alvipeo
ok, I read that blog post. It's for newbies. not relevant to my question - alvipeo
The app GW subnet and ASE subnet should be in the same VNet. Any error message when you access the web app via app GW? What's the backend health in the app GW portal? Check if this helps? - Nancy Xiong
they are in the same subnet obviously. I'm trying to restrict access by using NSG. so I thought I'd add NSG to ASE subnet. but adding it blocks the portal from getting information about apps. and my question is HOW would you restrict access to the apps that are inside ASE (like HTTPS only) - alvipeo

2 Answers

0
votes

When you add a NSG to the AppSercice subnet with Deny All internet traffic, it is blocking the portal to fetch information from App Device. Try adding a NSG rule with greater priority with source IP as Azure Cloud tag and allow it.

So you are blocking all Internet traffic and allowing Azure IPs for communication.

Let me know if it works.

0
votes

Here's the resulting rules set for ASE subnet NSG:

enter image description here

you might want to add HTTP to it if you need it.