blog/secure-app-service-with-easy-auth-and-app-gateway-public/ #1032
Replies: 4 comments 3 replies
-
Want to join in the discussion? You can do that in two ways! You can either authorize the giscus app to post on your behalf using the GitHub OAuth flow. Alternatively, you can comment in GitHub Discussions directly if you'd prefer not to grant access to the giscus app. Please keep the discussion on topic with the post. |
Beta Was this translation helpful? Give feedback.
-
Hello Chris, thanks for this post, I had to fulfill the same requirements so I have read this post several times over the last few days :) Anyway I still have a question to this day regarding the Azure Managed certificates that we use to secure the traffic between Application Gateway and App Services. In the process described in this post, we first create a CNAME record when binding the App Service to the managed certificate, and later we replace this CNAME record by an A record pointing to the Application Gateway's public IP. Many thanks in advance and thanks again for sharing this post ;) |
Beta Was this translation helpful? Give feedback.
-
Hello, I use almost identical solution for my app services, but without easy auth. I don't like checking 401 as health check. I am monitoring detailed status of my /health endpoint for example for degraded state etc. This would not be possible with easy auth without anonymous login enabled. But on the other hand I like the concept of preauthentication. It would be nice to bypass auth for some urls like /heath. Do you think this is possible? I was not able to find a solution for this yet. |
Beta Was this translation helpful? Give feedback.
-
Awesome article. We have a similar setup, but we did extended things little bit further. For instance, we had to switch into "File-based configuration" of the EasyAuth module on the App Services we use as the backend of our Application Gateway, so that we could achieve two critical requirements: 1- Add "Exclusion Paths" for the App Services that we use as our backend, so that we could have an entrypoint for our real HealthCheck implementations, as well as some other "well-known" public files that should be exposed/served anonymously; 2- Set the "Forward Proxy" options of the "EasyAuth" module on all of our App Services. This is more than a requirement for us, since we have a lot of "path-based" rules at our Application Gateway, using a single custom domain name as the "public entrypoint", and they all point to multiple different App Services as backends, depending on the matching "path-based" rule. With a setup like this, we obviously couldn't add the Application Gateway's custom domain name into all of our App Services, as Azure wouldn't allow that. Only one App Service can have that custom domain name configured. So, to make it work properly without having to add that custom domain name into our App Services, we had to set the "forwardProxy" option to { "convention": "custom", "customHostHeaderName": "X-Original-Host" }. This way, the Application Gateway forwards the requests to App Services using their own "azurewebsites.net" domain name, but the "EasyAuth" module builds the redirection URIs used at the authentication flow using the hostname present at the "X-Original-Host" HTTP header, which is always injected and sent by the Application Gateway; |
Beta Was this translation helpful? Give feedback.
-
blog/secure-app-service-with-easy-auth-and-app-gateway-public/
Exploring Cloud concepts with Chris Reddington (Welsh Tech Geek, Cloud Advocate, Musical Theatre Enthusiast and Improving Improviser!). We will regularly invite guests to talk about their experiences with the cloud and hear about some of the lessons learned around their cloud journey. Cloud with Chris is a community-driven personal podcast. Content from episodes do not represent the views of any company or organisation.
https://www.cloudwithchris.com/blog/secure-app-service-with-easy-auth-and-app-gateway-public/
Beta Was this translation helpful? Give feedback.
All reactions