使用访问限制将应用程序网关 (WAFv2) 前端 IP 列入白名单导致 App Service 出现 403
Whitelisting Application Gateway (WAFv2) Frontend IP results in 403 on App Service using access restrictions
一旦我将白名单应用到后端池中配置的应用服务(我将分配给应用程序网关的 IP 列入白名单。IP 是标准层和静态的),我的运行状况探测就会失败并显示 403。
其他人以前遇到过这个问题吗?我的印象是我可以将分配给应用程序服务上的应用程序网关的 public IP 列入白名单,因此只能从应用程序网关端点进行访问。
移除白名单后健康探测成功。所以我确定它与此有关。
根据the document,
If the backend pool:
Is a public endpoint, the application gateway uses its frontend public
IP to reach the server. If there isn't a frontend public IP address,
one is assigned for the outbound external connectivity.
Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using
its instance private IP addresses.
Contains an external endpoint or an externally resolvable FQDN, the
application gateway routes the request to the backend server by using
its frontend public IP address. The DNS resolution is based on a
private DNS zone or custom DNS server, if configured, or it uses the
default Azure-provided DNS. If there isn't a frontend public IP
address, one is assigned for the outbound external connectivity.
因此,您可以在后端池中使用内部可解析的 FQDN 或后端应用服务的私有 IP 地址。
在这种情况下,您可以更改为使用默认的 Azure 应用服务主机名,如 webappname.azurewebsites.net 或在应用服务的访问限制中将内部应用网关子网(应用程序网关实例私有 IP 地址所在的位置)列入白名单.
一旦我将白名单应用到后端池中配置的应用服务(我将分配给应用程序网关的 IP 列入白名单。IP 是标准层和静态的),我的运行状况探测就会失败并显示 403。
其他人以前遇到过这个问题吗?我的印象是我可以将分配给应用程序服务上的应用程序网关的 public IP 列入白名单,因此只能从应用程序网关端点进行访问。
移除白名单后健康探测成功。所以我确定它与此有关。
根据the document,
If the backend pool:
Is a public endpoint, the application gateway uses its frontend public IP to reach the server. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.
Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses.
Contains an external endpoint or an externally resolvable FQDN, the application gateway routes the request to the backend server by using its frontend public IP address. The DNS resolution is based on a private DNS zone or custom DNS server, if configured, or it uses the default Azure-provided DNS. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.
因此,您可以在后端池中使用内部可解析的 FQDN 或后端应用服务的私有 IP 地址。
在这种情况下,您可以更改为使用默认的 Azure 应用服务主机名,如 webappname.azurewebsites.net 或在应用服务的访问限制中将内部应用网关子网(应用程序网关实例私有 IP 地址所在的位置)列入白名单.