Can't publish the Kudu site when running an App Service behind a WAF enabled Application Gateway

0
votes

So I've been following Ahmed Sabbour's article on how to deploy https://sabbour.me/how-to-run-an-app-service-behind-a-waf-enabled-application-gateway/ The ONE difference is that instead of a jump box we are using VM with a VNET peering and using an internal DNS service for my company.

Then I'm deploying web apps running on the ASE behind the WAF-App Gateway where I able to get the public facing website up and running.

However, the problems came when attempting to publish the Kudu, ‘Advanced Tools’s site. WebDeploy, the component used for deploying code to an Azure Web App is a component for the Kudu site, (i.e. *.scm.yourdomain.com) but when I try to access from a machine in the VNET or externally:

customdomainname.sites.msrd’s server IP address could not be found.

Any idea how to get the Kudu site running so I can deploy?

2
azureazure-web-app-serviceazure-application-gateway

2 Answers

0
votes

As the blog said, you need to deploy a custom DNS server in the same VNet which your ILB ASE located for the internal domain name resolution. Also, make sure there is no network restriction between ASE subnet and VM subnet, you may check the NSG configuration if you have attached it.

in order to be able to deploy stuff, access Kudu console and so on, you need to create a Virtual Machine that is living within the same Virtual Network and use that to access the Web App with its internal IP. While you're at it, you may configure this machine with a DNS role to be able to resolve the Web App specific domains (and other hostnames within your Virtual Network). You need to create A-records pointing to the App Service Environment's Internal Load Balancer IP address for the following hostnames (*, *.scm, ftp, publish). A records required

enter image description here

Note: If you change the DNS setting of the VNet that your ASE is in, you will need to reboot your ASE.

To do some simple tests, edit the hosts file on your VM to set the app name to the VIP IP address:

a. If your ASE has the domain name .ilbase.com and you create the app named mytestapp, it's addressed at mytestapp.ilbase.com. You then set mytestapp.ilbase.com to resolve to the ILB address. (On Windows, the hosts file is at C:\Windows\System32\drivers\etc.)

b. To test web deployment publishing or access to the advanced console, create a record for mytestapp.scm.ilbase.com.

You could get more details from the offical doc. Moreover, you may need to use AppKey to change WebApp's default DNS settings since ASE App Services don't inherit vnet's DNS settings.

0
votes

We have faced the similar issue, but we have not created a Jump Box, we created the following DNS to point to application gateway URL

  • app.scm.yourcompany.com -> Application Gateway URL
  • app.yourcompany.com -> Application Gateway URL

We have created the similar backend rule same as app URL. Which will expose the SCM to the internet using custom domain.

Note :

  • When you try to login to the SCM it will ask for user name and password. Use the the username and pwd in the publish setting, which you can download from the web app.
  • If you want to separate the SCM implementation, use another application gateway with IP Restrictions.

Similar setup can be done using ILB, if your network is allowed to talk to the Application gateway network