Internal API : Virtual Network support for Power Platform
Hello Everyone, We are using Custom Connectors from Power Automate Flows to initiate a call to the Internal API that is hosted in Azure through the MuleSoft Data Gateway. Since we are unable to activate the private endpoint for this internal API, we are seeking guidance on how to securely connect to the API via V-Net integration. Please advise. As per the Microsoft Documentation : Use custom connectors (preview) to securely connect to your services that are protected by private endpoints in Azure or services that are hosted within your private network. https://learn.microsoft.com/en-us/power-platform/admin/vnet-support-overview Thanks, -Sri
Issue with Azure VM Conditional Access for Office 365 and Dynamic Public IP Detection
Hi all, I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?Confuse in Azure WAF behavior with different browsers
Hello, I have an Azure Application gateway (WAF) that prevention mode is enabled and the OWASP 3 and the Microsoft Bot rule are activate. I checked my web application with chrome and refresh and sent many requests with Chrome. Now I received 403 Forbidden. I checked the logs the reason is: requestUri_s: /auth/login requestUri_s: /favicon.ico Message: SQL Comment Sequence Detected. But when I open my web application with Edge, it's work well. (Same system and same IP) 1. What's the reason? 2. How to fix? If I disable this role, there are risks. If I trust my IP, I couldn't check and QA my web app.
WordPress App how to restrict access to specific pages on the site
Hello all, I have a WordPress App hosted on Azure and I am struggling with how I can secure specific pages from public access. For example: www.mysite.com/wp-admin www.mysite.com/info.php I'd like it so that only specific IP addresses or Microsoft user accounts can access some, such as admin pages and for some pages I'd like no access at all, to where it just blocks any sort of visit. I've viewed the documentation for Front Door and some networking restrictions but that seems to be just IP addresses and I'm confused about how I can set those rule for specific pages within the App. I know WordPress offer plugins which have this sort of functionality but I'd like to take advantage of Azure's security features rather than plugins from WordPress. Any help is very appreciated. Thank you
Load Balancer in front of Application Gateway, port steering
Hi, I have both HTTP(S) and non-HTTP(S) traffic going into a VM. I would like to have a WAF for the HTTP(S) so I have created an Application Gateway and connected it with the VM which works well. However, I have non-HTTP(S) traffic as well going over different ports which I would like to go straight to VM. To split the traffic I have created a Load Balancer with the previously mentioned AppGw in its backend pool. I have configured the AppGw's private IP, listener for it, backend settings and backend pool with VM in it. Unfortunately, I am not able to connect to the VM using the Load Balancer public IP and HTTP. Is it possible to have an LB in front of the AppGw? If not, does anyone have an idea on how we split the traffic while still having an AppGw just for HTTP(S)? Thanks!Issue with VirtualNetwork service tag when using UDR for routing via Azure Firewall
Hi Experts, When I add a UDR on my Spoke Subnets to use Azure Firewall for default outbound (0.0.0.0/0 -> Azure Firewall IP), the Virtual Network service tag on the NSG attached to the Spoke Subnets gets 0.0.0.0/0 value. When I remove the UDR default outbound route, the Virtual Network service tag gets the vNet and Peered vNet address space etc. Due to this, limiting network access at the NSG level on the Spoke Subnets is getting complex. For example, let's consider that I do not want to direct traffic to Azure Firewall for my S2S/P2S VPN traffic, and want to control which S2S IP Addresses can access my Spoke Subnet using NSG rule attached to my Spoke Subnet. This is getting complex as the Default DenyAllInbound is no longer applicable due to AllowVnetInbound allowing everything. In such scenarios, the network control at the NSG level gets auto-updates and gets allowed for all (0.0.0.0/0 - 0.0.0.0/0 - All Protocols), and the concept of having default DenyAllInbound as the last rule fails. This could be a security risk where the engineer has added a UDR for 0.0.0.0/0 to Subnets and all the NSGs would turn to Allow All (Everything). Related GitHub Discussion: https://github.com/MicrosoftDocs/azure-docs/issues/22178 FYI, I just found out a blog also reporting a similar challenge that I am facing: https://www.torivar.com/2019/01/16/azure-nsg-virtualnetwork-tag/Application Gateway Backend Port Routing
Scenario: Setup App Gateway to allow traffic from sever different alias urls (appa.gateway.com / appb.gateway.com / appc.gateway.com) these will all point to the private ip front end over 443. Thats easy enough to do. Based on those calls from each of the individual alias' then route the traffic to a different PORT on a backend which is all the same VM. Use case: Calls from appa.gateway.com should go to VM1 on port 44301 Calls from appb.gateway.com should go to VM1 on port 44302 Calls from appc.gateway.com should go to VM1 on port 44303 Is this possible using app gateway? It's not possible to have the same backend vm so I was thinking of having multiple NIC's on the same vm that each backend would point to? Caveat... this is dev so its just one vm on the backend, when we get to qa / prod there will be several, so thinking I will need a load balancer that the app gateway points to.
Networking out Private VNET in AZURE with a third party app such as payment gateway?
I need to do networking so that my VNET in Azure connects to third party applications such as payment gateways or messaging apps which are in Public internet. Please let me know the options and why we should prefer one over the other?
Disabling TCP Timestamps on application gateways
Hello, We use Application Gatways for a number of apps. Our 3rd party vulnerability scanner discovered the AGW exposes the uptime of the system. Is there a way to disable this on the AGW? I found this post in UserVoice from 2017 where someone asked for the same option: https://feedback.azure.com/forums/217313-networking/suggestions/32683267-need-a-function-to-disable-the-timestamp-in-tcp-op. If it's not possible, it's not possible. I haven't found documentation on it, so my guess is there's currently no way to disable it. I get this is low risk, I just need to do a little more digging until I write this one off as a known issue / accepted risk. Thank you
