How to monitor and audit App Service Configuration and File changes

Overview The ability to track and audit changes to websites is a common requirement among enterprises. This audit trail helps to identify who made changes and when, either accidentally or maliciously. When running an application on a local server there are many options to achieve this, however when running in Azure App Service we must …

Troubleshooting App Service failed VNET integration and outbound connectivity issues

Overview: A significant part of a website’s functionality often involves outbound connectivity to dependencies like database, API, etc. Azure App Services have default outbound connectivity to the public Internet using its pool of outbound IPs and a capability to integrate with a VNET to achieve connectivity into a private network, including on-prem. Two options for …

Service Endpoints for Microsoft.Web: Secure access between App Gateway and Web Apps

A recent addition to Service Endpoints support is Microsoft.Web. Exactly as Service Endpoints for Azure Storage and Azure SQL allowed private access from a subnet to those PaaS services, Microsoft.Web Service Endpoints finally allows simple secure access to a backend App Service. There are two parts to this setup: Service Endpoints for Microsoft.Web must be …

“Use for App Service” and Application Gateway Unexpected Consequences: azurewebsites.net redirect URL, odd App Behavior, failed Authentication, and broken ARR Affinity

The default behavior for an Application Gateway with App Service instance in the backend pool is that the Host header is overridden to match the Web App’s default hostname: *.azurewebsites.net. This is caused by the “Use for App Service” and “Pick host name from backend address” configuration options on the Application Gateway. These requests arrive …

App Service with Application Gateway v2: High Security in Azure PaaS

Azure App Services (Web Apps) are publicly exposed to the Internet by default, accessible with their *.azurewebsites.net URL. This means that anyone in the world can access your site simply by knowing its URL, including hackers and spammers. We can secure our site by using an Application Gateway as a frontend. Azure App Gateway is …

Connect between Apps in the same ASE: Adding internal CA certs to the trusted root store for Web Apps hosted in ASE

By default applications running in an App Service will only have the normal public CAs in the trusted root store. This means that SSL connections against endpoints with a privately issued certificate will fail as untrusted. One common error message in this scenario is “SSL Certificate problem: unable to get local issuer certificate”. A common …

Supporting IPv6 in Azure App Service using an Azure Front Door frontend

Many developers would like their website to have support for IPv6 connectivity. Unfortunately IPv6 is not yet widely supported for most Azure services, including App Service, which includes Web Apps/Function Apps/Bot Service/etc. The good news is that this is possible to achieve using Azure Front Door as a frontend, which does support IPv6. The Azure Front …