Securing app services across multiple AAD tenants
Hi All I'm beating my head against a wall so wanted to see if anyone can please help me out, or at least point me in the correct direction. We have a large Azure infrastructure across multiple AAD tenants, with a number of app services that we're trying to secure at the network level using app service restrictions so access is only allowed from clients within our infrastructure (across the 2 tenants), or using controlled access via our APIM and Front Door edges. The clients are a mix of other app services, VMs, VM scale sets (service fabric), and APIM access routes. All these now have Subnets attached for outbound routing. For securing within the same tenant everything works beautifully, using subnet access rules to grant access to the service endpoints from the client subnets. Where we are having problems is the cross-tenant allow rules. All the subnets have NATs attached with IPv4 public IPs, which I had assumed would mean that we'd be able to use the public IP to grant the access on restrictions in the other tenant. However what we've realised when we tested was that the presence of the Microsoft.Web service endpoint means that the NAT is being bypassed, and the IP presented to the target app service is not the IPv4 address we were expecting but an IPv6 address that is apparently used by the service endpoint, and I'm presuming not reliably static even if we can figure it out. I presume we're not the first people ever to try and achieve the goal of cross-tenant app restrictions so thought I would ask how this is best done? The one suggest I was given was to remove the service endpoints but that of course stops us being able to use subnet app restriction rules, and I failed to get anything to work with any of the IPs associated clients. Thanks in advance for any help you can offer Mark Middlemist
Not able to setup azure private endpoint url as webservice/backend for Azure API Management service
Hi all, I have integrated Private endpoint connected to private link service. Private link service is created by azure standard load balancer created by kubernetes load balancer service using below annotations . annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" service.beta.kubernetes.io/azure-pls-create: "true" service.beta.kubernetes.io/azure-pls-name: myPLS service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: YOUR SUBNET service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count: "1" service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address: SUBNET_IP service.beta.kubernetes.io/azure-pls-proxy-protocol: "false" service.beta.kubernetes.io/azure-pls-visibility: "*" # does not apply here because we will use Front Door later service.beta.kubernetes.io/azure-pls-auto-approval: "YOUR SUBSCRIPTION ID" i am getting expected response i.e response from kubernetes service from Private endpoint ip which confirms that private link and private endpoint integration is working fine. we now want to integrate above private endpoint service with azure api management service so we tried adding private endpoint url as web service url for api management service but api management service is returning 500 error { "statusCode": 500, "message": "Internal server error", "activityId": "76261291-7121-4814-b0e4-66b52284d76c" } I also tried api management service Troubleshoot & analysis page for exact error its showing below error: BackendConnectionFailure An attempt was made to access a socket in a way forbidden by its access permissions <private_endpoint_url>:80 Please help me what i am doing wrong in this implementation Our requirement is to have kubernetes private load balancer and integrate it with azure api management service. so user can access api only through api management service and only api management service should be able to access load balancer service. Thanks in advance