Is traffic from Azure Application Gateway to Azure Web App (App Service) backend pools over the Azure backbone network?

0
votes

I have configured an Application Gateway in front of multiple Azure Web App backend pools as per this article.

In addition to providing a WAF, I use the Application Gateway to offload the SSL connection to the backend pools. I have configured the backend pools to use the FQDN of the App Service instances as they're not currently deployed into a VNET.

Based on the following scenario:

Request to custom.com:443 ---> Application Gateway ---> custom.azurewebsites.net:80

My concern is that the connection from the Application Gateway to the Web App is unencrypted over port 80 and I haven't found anywhere that describes this connectivity as happening over the Azure backbone network. Is there any risk that this traffic could be sniffed and compromised?

1
azureazure-application-gateway

1 Answers

0
votes

Spoke to Microsoft support who said the traffic from my Application Gateway to my Web App will stay on the Microsoft backbone.

He also pointed me to the following knowledge article; which states:

If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in.