Restricting access between multi-tenant App Services with Service Endpoint and Access Restriction

The Requirement

Recently, one of my partners has the requirement:

  • Three micro-services are deployed as App Service (Web App for Containers) within one App Service Plan.
  • They’d like to control the traffic, in which App X can access App Y, but any other app else (including App Z or other external parties) can’t access App Y. Refer to the following diagram:

Figure 1. Access Requirement

  • They’d like to achieve this without App Service Environment.

The solution

This requirement can be achieved in 3 primary steps as can be seen in this diagram:

Figure 2. The solution

Step 1. Virtual Network and Service Endpoint

Create a Virtual Network and Subnet.

Create a Service Endpoint with the type of Microsoft.Web as it indicates App Service (Web App).

Figure 3. Create a service endpoint in Virtual Network

Step 2. VNet Integration in “source” App Service

Using VNet Integration feature from source / origin App to integrate with the virtual network.

To do that, in your source App Service (in my diagram as X), navigate to the Networking and click on “Click here to configure” in the VNet Integration section.

Figure 4. Configure VNet Integration in App Service

Click the “+ Add VNet” button and choose respective Virtual Network and Subnet that you’ve created earlier.

Figure 5. Choose your Virtual Network and Subnet in VNet Integration

Step 3. Access Restriction in the “target” App Service

Access Restriction is a feature in App Service which allows you to allow or deny the incoming traffic to your App Service.

The next step is to configure the Access Restriction in your target App Service (illustrated as App Y in my diagram).

To do that, go to your target App Service, click Networking, and choose Configure Access Restriction. We will be creating 2 rules:

  • The first one is to deny all traffic.

    Click on Add Rule, then name it “deny all traffic”, choose “Deny” in Action, leave the type to IPv4, and finally fill the IP Address Block with “0.0.0.0/0”. Finally click “Add rule”.

Figure 6. Configure Access Restriction to deny all traffic

  • The second rule is to ONLY allow the Virtual Network (with enabled Service Endpoint), which eventually allowing the traffic from App X to flow in.

    Click on Add Rule, then name the “allow traffic from App X”, choose “Allow” in Action. Make sure that your priority number for this rule is set to higher value than the “deny all”. This is to ensure that this rule overrides the “deny all” rule.

    Change the type to Virtual Network, choose respective Virtual Network and Subnet which you’ve done in Step 1. Finally click “Add rule”.

Figure 7. Configure Access Restriction to allow traffic from a Virtual Network

All set now!

Testing against the setup

Let’s now perform some test to ensure that it works as expected.

Test 1. Accessing App Z Y from your local browser.

This can be done easily by just browsing the App Y’s URL in your local browser. Here’s my result which returning Error 403 — Forbidden.

Figure 8. Forbidden access to App Y from local browser

Test 2. Accessing App Y from App Z.

Let’s recall that App Z is deployed within the same App Service plan as App X and App Y. But our rule indicates that it’s restricted to access App Y.

To test it, let’s navigate to App Service of App Z, then choose SSH, and click “Go ->”.

Figure 9. SSH into the App Z

Another browser tab will be opened with a web-based SSH terminal ready to take your action.

Type “curl https://[app-y].azurewebsites.net“. Remember to change the [app-y] to your target app name.

As can be seen, i am also getting the Error 403 from the curl, like the Test 1.

Figure 10. Accessing App X from App Z’s SSH

Test 3. Accessing App Y from App X.

Let’s recall that App X is the one which we’ve configured Service Endpoint and VNet Integration, which we’d expect it to work.

With the similar technique as Test 2, perform the same curl command from the App X’s SSH session.

Tada! It works! (even though it just returns me bunch of html tag, well that’s just what curl can do for you)

Figure 11. Successfully access App Y from App X

Conclusion

You’ve seen how i make use of Service Endpoint, VNet Integration, and Access Restriction to meet the requirement. This is rather an inexpensive way to achieve the goal. As you notice, by using Access Restriction, that the traffic was blocked on the web server level, not the network level.

Another (more powerful) alternative is to deploy the apps in App Service Environment, then making use of NSG rules to restrict the traffic on the network level. However, i reckon that it will be a more expensive (and complicated setup).

You can find more details about App Service Networking features here.

I want to thank Stefan Schackow and Christina Compy for the tips on the solution.

Hope this post is useful for you!

This entry was posted in App Services, Azure. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.