Add IP restrictions on QnA maker app service

1
votes

I am trying to add IP restrictions to my app service associated to my QnA Maker to make it available only through an application gateway. Now, the service works through the gateway but the qna maker portal doesn't work anymore. I get the following error message when loading my knowledge base:

QnA Maker runtime error

Runtime unavailable. Please check that the App Service resource in your QnA Maker service is up and running.

According to Can qnamaker.ai load a url not open for the public?, the following IP ranges must be added to the app service whitelist:

  • West US: 13.91.0.0/16
  • East US: 52.191.0.0/18

Unfortunately, adding these IPs doesn't solve the issue and the QnA resource is still unavailable.

After multiple refresh of the page, the KB is sometime displayed. I think there are some others IP ranges that need to be added to work all the time.

Does anybody knows what is the complete list of IPs to add to fix the QnA maker portal ?

2
azure-web-app-serviceqnamaker

2 Answers

0
votes

If this host name is Valid and reachable via following IPs everything should work.

52.191.14.164

13.91.243.134

or

Hosting QnA Maker App on Isolated App Service Environment is bit hard, but feasible. You need to integrate ILB with WAF so that the site is accessible externally: https://docs.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway

You also need to manage certs: https://docs.microsoft.com/en-us/azure/app-service/environment/create-ilb-ase#create-an-app-in-an-ilb-ase

  1. Create the App Service with QNA Maker extension enabled(Part of existing template) in ASE
  2. Manual: Add certs +WAF for the App Service in 1 (1hr work atleast)
  3. Make sure the App Service is reachable in the browser(https://) and there are no cert issues
  4. Create cognitive services instances (part of existing template) and pass it the app service host name from 1.

Deploy QnA Maker to their existing App Service Environment you can select “ Deploy to Azure,” modify the template as desired, and deploy to the subscription. For example, this Web App template: https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-github-deploy

0
votes

I finally created a support ticket in Azure. Here is the complete list given by Microsoft support:

  • 13.68.0.0/16
  • 13.86.0.0/16
  • 13.91.0.0/16
  • 20.185.0.0/16
  • 40.83.0.0/16
  • 40.88.0.0/16
  • 40.121.0.0/16
  • 52.191.0.0/16

Now the QnA Maker portal works fine with this IP whitelist in the app service.