I've been having some trouble setting up the access to PI Vision using a public IP with a DNS Alias.
Essentially there is a DNS alias (let's call it "pivisionAlias") set up in Azure (CNAME) mapping to a canonical name, which points to a static public IP (A record). Within the intranet, the DNS alias resolves to the local IP of the PI Vision and PI Web API machine. Outside the intranet, over the internet, the same alias resolves to the static public IP.
Everything is working just fine within the intranet. PI Vision (including XY Plots), PI Web API, all fully working. However, over the internet there's a few problems. Here's the scenario:
Within the VPN:
1. We log into vision or pi web api using https://pivisionAlias/pivision and https://pivisionAlias/piwebapi
2. The displays links and the pi web api streams keep the same host: https://pivisionAlias/pivision/... and https://pivisionAlias/piwebapi/assetservers
Accessing externally, over the internet:
1. We log into vision or pi web api using https://pivisionAlias/pivision e https://pivisionAlias/piwebapi (same URL as within the intranet)
2. The displays links and the pi web api streams come with the explicit local IP instead of the alias: https://<Local_IP>/pivision/... and https://<Local_IP>/piwebapi/assetservers . The local IP is not accessible over the internet. If I change the local IP to the alias in any URL, it works.
If the applications responded with links using the DNS alias, the public access wouldn’t have any issues, I believe.
I managed to get that working in Vision (displays URLs in the home page now have the alias), by changing the Referrer-Policy from “no-referrer” to “same-origin” in Vision’s web.config (Reference about it: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
I also managed to change the referrer policy in pi web api, following the user guide, using attributes in AF configuration database. However, it didn’t solve the problem for pi web api. I still can log into pi web api using the alias, over the internet, but the links in the response are built with the local IP. Inspecting the requests in Chrome, looks like the referrer-policy was changed, but the links in PI Web API’s responses don’t seem to be related to that.
I've set up the DNS alias related configurations following this KB: https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB01691 . Both options in the step 3 have been tested (right now, we are using option 2), and both worked within the intranet, but with the same behavior over the internet.
The last information that I got was a response in a support case that I have opened with OSIsoft, saying that the resolution of the links in PI Web API is related to the reverse proxy that is in place, and that it would be possible to configure Azure’s firewall to reference to PI Web API the DNS alias, instead of the local IP.
I'm not sure exactly what to request the IT team or if there's any workaround to this issue.
I'm also curious to how PI Web API builds the links in the request response. Why is it using the same hostname as the requests from within the intranet and using the local IP for respond requests from the internet?
Any help is appreciated.