Azure前门-如果Web应用程序网络限制列表中有IP允许条目,则禁止403 [英] Azure Front Door - 403 Forbidden if there are IP Allow entries in the web app Network Restrictions List
问题描述
我一直在与Azure支持工程师一起尝试解决此问题,但他无法确定问题所在,所以我希望这里有人遇到这种情况:
I've been working with an Azure support engineer to try and figure this out, and he has not been able to determine the issue, so I'm hoping someone here has run into this scenario:
我们已经设置了第一个Azure前门-此阶段的配置非常简单-后端池仅由我们的一个Web应用程序(Azure应用程序服务)和一条路由组成,该路由仅转发来自Web应用程序URL的前门URL.
We have set up our first Azure Front Door - the configuration at this stage is very simple - the backend pool consists of just one of our web apps (an Azure App Service), and one route which just forwards all requests from the front door URL to the web app URL.
问题:我们发送的每个请求都提供403禁止的错误.
The issue: every request we send provides a 403 forbidden error.
我已经确定的工作:
Azure Web应用具有适当的网络安全限制,仅允许某些IP地址访问URL.我的IP地址是该列表的一部分,如果我直接访问Web应用程序URL ,则所有操作都可以正常进行.如果我尝试访问前门URL,则会收到403禁止错误.
The Azure web app has Network Security Restrictions in place to only allow certain IP addresses to access the URL. My IP address is part of the list, and if I access the web app URL directly, all works as expected. If I try to access the Front Door URL I get a 403 Forbidden error.
作为测试,我设置了第二个不受IP限制的Azure Web应用程序,并将其添加到前门的后端池中.我可以通过前门访问该站点,而没有任何问题.但是,只要在网络限制"列表中添加一个允许"条目(在本例中为我的IP地址),我都会在进入前门URL时收到403错误.
As a test, I set up a second Azure web app with no IP restrictions and added that to the backend pool of the Front Door. I can access that site through the Front Door with no issues. However, as soon as I add even one Allow entry to the Network Restrictions list (in this case, my IP address) I get the 403 error when going to the Front Door URL.
作为另一个测试,我什至在IP限制列表中添加了0.0.0.0以允许全部访问-即使那样,尝试访问前门URL时仍然出现403错误.在所有测试案例中,我都可以直接访问Web应用程序URL,而不会出现任何错误.
As another test, I then even added 0.0.0.0 to the IP Restriction List to Allow All - even with that, I still get a 403 error when trying to access the Front Door URL. In all test cases, I can access the web app URL directly without any error.
我也完全禁用了前门WAF,只是为了确保其中没有任何错误导致403错误.同样的事情-403,无论何时打前门URL.
I also completely disabled the Front Door WAF just to ensure nothing in there was causing the 403 errors. Same thing - 403 no matter what when hitting the Front Door URL.
最后-我在每次测试之间对前门缓存进行一次清除,只是为了确保那里没有任何东西被捕获.
Finally - I do a Purge on the Front Door cache between every test just to make sure nothing is getting caught up there.
这似乎是前门和在IP限制中有任何条目的Web应用程序的可能错误?这对我来说是非常困惑的,因为我们不能期望不受IP限制的情况下,我们的非公开Web应用程序URL可以向Web广泛开放?有没有人经历过并解决了这个问题?
This seems like a possible bug with Front Door and web apps that have any entries in the IP restrictions? That would be very perplexing to me though as we can't be expected to leave our non-public-facing web app URL's wide open to the web without IP restrictions?? Has anyone experienced and resolved this?
编辑1 :Azure支持工程师为我提供了前门服务的IP地址,以添加到Web应用程序的允许列表中.我补充了一点,仍然没有运气-403.什么也没有.似乎在网络限制"列表中根本没有任何东西,前门"无法按预期工作.
EDIT 1: The Azure support engineer provided me with an IP address for the Front Door Service to add to the Allow List of the web app. I added, and still no luck - nothing but 403. It seems if there's anything at all in that Network Restrictions list, Front Door does not work as expected.
编辑2 :似乎我的全部允许"输入不正确-我将其设置为0.0.0.0/32.将其更改为0.0.0.0/0后,即可通过前门访问该Web应用程序.因此,我的初步评估认为,该列表中的所有条目(包括允许所有")均导致403错误,这是不正确的.正确的评估是,列表 other 中除0.0.0.0(甚至是我自己的IP地址)之外的任何条目都将导致403错误.因此,主要问题仍然存在-我们如何才能通过IP限制保护我们的Web应用程序并仍将其与Azure Front Door一起使用?
EDIT 2: Seems I had the Allow All entry incorrect - I had it set at 0.0.0.0/32. Once I changed it to 0.0.0.0/0, I can access the web app via the Front Door. So my initial assessment that ANY entries to the list at all including Allow All causes 403 errors was incorrect. The correct assessment is that any entries to the list other than 0.0.0.0 (even my own IP address) will cause a 403 error. So the main issue persists - how can we protect our web app with IP restrictions and still use Azure Front Door with it?
推荐答案
Azure Frontdoor将充当反向代理,这意味着需要将全球POP服务器IP列入Web应用程序网络限制中.
Azure Frontdoor will act as a reverse proxy which means the POP servers IP all around the world needs to be whitlisted in your Web App Network restriction.
它在FAQ部分由于有多个POP服务器,因此您需要将所有POP服务器的IP列入白名单,然后尝试访问进行测试.
Since there are multiple POP servers you need to whitelist all the POP server's IP and then try to access to test.
您还可以与我分享SR#吗,这样我就可以看看您提出的支持票.
Also can you share me the SR # so that I can take a look into the support ticket which you have raised.
这篇关于Azure前门-如果Web应用程序网络限制列表中有IP允许条目,则禁止403的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
