问题
I've been working with an Azure support engineer to try and figure this out, and he has not been able to determine the issue, so I'm hoping someone here has run into this scenario:
We have set up our first Azure Front Door - the configuration at this stage is very simple - the backend pool consists of just one of our web apps (an Azure App Service), and one route which just forwards all requests from the front door URL to the web app URL.
The issue: every request we send provides a 403 forbidden error.
What I've done and determined:
The Azure web app has Network Security Restrictions in place to only allow certain IP addresses to access the URL. My IP address is part of the list, and if I access the web app URL directly, all works as expected. If I try to access the Front Door URL I get a 403 Forbidden error.
As a test, I set up a second Azure web app with no IP restrictions and added that to the backend pool of the Front Door. I can access that site through the Front Door with no issues. However, as soon as I add even one Allow entry to the Network Restrictions list (in this case, my IP address) I get the 403 error when going to the Front Door URL.
As another test, I then even added 0.0.0.0 to the IP Restriction List to Allow All - even with that, I still get a 403 error when trying to access the Front Door URL. In all test cases, I can access the web app URL directly without any error.
I also completely disabled the Front Door WAF just to ensure nothing in there was causing the 403 errors. Same thing - 403 no matter what when hitting the Front Door URL.
Finally - I do a Purge on the Front Door cache between every test just to make sure nothing is getting caught up there.
This seems like a possible bug with Front Door and web apps that have any entries in the IP restrictions? That would be very perplexing to me though as we can't be expected to leave our non-public-facing web app URL's wide open to the web without IP restrictions?? Has anyone experienced and resolved this?
EDIT 1: The Azure support engineer provided me with an IP address for the Front Door Service to add to the Allow List of the web app. I added, and still no luck - nothing but 403. It seems if there's anything at all in that Network Restrictions list, Front Door does not work as expected.
EDIT 2: Seems I had the Allow All entry incorrect - I had it set at 0.0.0.0/32. Once I changed it to 0.0.0.0/0, I can access the web app via the Front Door. So my initial assessment that ANY entries to the list at all including Allow All causes 403 errors was incorrect. The correct assessment is that any entries to the list other than 0.0.0.0 (even my own IP address) will cause a 403 error. So the main issue persists - how can we protect our web app with IP restrictions and still use Azure Front Door with it?
回答1:
Azure Frontdoor will act as a reverse proxy which means the POP servers IP all around the world needs to be whitlisted in your Web App Network restriction.
It is documented in the FAQ section here.
Since there are multiple POP servers you need to whitelist all the POP server's IP and then try to access to test.
Also can you share me the SR # so that I can take a look into the support ticket which you have raised.
来源:https://stackoverflow.com/questions/60994991/azure-front-door-403-forbidden-if-there-are-ip-allow-entries-in-the-web-app-ne