Forum Discussion
Securing app services across multiple AAD tenants
Hi All
I'm beating my head against a wall so wanted to see if anyone can please help me out, or at least point me in the correct direction.
We have a large Azure infrastructure across multiple AAD tenants, with a number of app services that we're trying to secure at the network level using app service restrictions so access is only allowed from clients within our infrastructure (across the 2 tenants), or using controlled access via our APIM and Front Door edges.
The clients are a mix of other app services, VMs, VM scale sets (service fabric), and APIM access routes. All these now have Subnets attached for outbound routing.
For securing within the same tenant everything works beautifully, using subnet access rules to grant access to the service endpoints from the client subnets. Where we are having problems is the cross-tenant allow rules.
All the subnets have NATs attached with IPv4 public IPs, which I had assumed would mean that we'd be able to use the public IP to grant the access on restrictions in the other tenant. However what we've realised when we tested was that the presence of the Microsoft.Web service endpoint means that the NAT is being bypassed, and the IP presented to the target app service is not the IPv4 address we were expecting but an IPv6 address that is apparently used by the service endpoint, and I'm presuming not reliably static even if we can figure it out.
I presume we're not the first people ever to try and achieve the goal of cross-tenant app restrictions so thought I would ask how this is best done? The one suggest I was given was to remove the service endpoints but that of course stops us being able to use subnet app restriction rules, and I failed to get anything to work with any of the IPs associated clients.
Thanks in advance for any help you can offer
Mark Middlemist
It sounds like you're encountering a common challenge with using Azure App Service Restrictions across multiple tenants. While I can't provide a definitive solution, I can offer some suggestions:
Consider using Azure Private Link instead of App Service Restrictions: Private Link allows you to access your App Services over a private endpoint within your own virtual network, rather than via a public IP address. This would give you more control over the network traffic and could potentially solve your cross-tenant access issues.
Use Azure ExpressRoute to connect the two tenants: ExpressRoute allows you to create private connections between Azure datacenters and infrastructure that's on-premises or in another cloud. This would give you a dedicated, private connection between the two tenants that you could use for secure communication.
Use Azure Traffic Manager to route traffic between the two tenants: Traffic Manager is a global DNS-based traffic load balancer that allows you to route incoming traffic across multiple Azure regions, datacenters, and networks. You could use it to route traffic between the two tenants in a secure and controlled way.
Consider using a VPN or Virtual Network Gateway to connect the two tenants: A VPN or Virtual Network Gateway would allow you to create a secure, encrypted tunnel between the two tenants over the public internet, which could be used for secure communication between the two.
I hope these suggestions are helpful, and that you're able to find a solution that works for your specific situation.
