2
votes

I'm trying to serve multiple Azure App Services behind an Application Gateway. These services should only be reachable through the application gateway endpoint. To achieve this, I've done the following:

  • Added a VNet
  • Added a subnet, and added all app services to it
  • Added an application gateway with appropriate rules for pointing to the app service
  • Added access restrictions to the app service to only allow the subnet of the application gateway, and the public IP of the application gateway

The health probe of the application gateway indicates the service is healthy (and thus reachable), but when I try to make a request to the service trough the gateway using Postman, I get a 403 IP forbidden error. However, when I add my local IP as an allowed IP address to the app service, the request comes through just fine

From what I've read online, adding the public IP of the gateway should be sufficient for allowing access through the gateway, but it seems that requests from my local machine are blocked. Am I getting something fundamentally wrong here?

Edit: I also tried assigning a front-end private IP address to the gateway and adding access for that in the app service, but that also did not work

Edit 2: My configuration

Access restrictions for app service: access restrictions

Backend pool: Backend pool

HTTP settings: HTTP settings

Listener: Listener

Rule: Rule

1
not exactly an answer, but try with Azure Front Door, much easier and offer the same capabilities.Thiago Custodio

1 Answers

0
votes

From your description "Added a subnet, and added all app services to it", I assume that you are meaning integrating app with Azure VNet or enable the service endpoint with Microsoft.Web for the subnet. If so, you could remove them. Both are useless in this scenario.

To restrict the access through the gateway, you only need to add the frontend IP address to the Azure App Service access restrictions. For more details, you could refer to this blog https://www.cloudmanav.com/azure/restricting-appservice-accessible-via-appgateway/#

If you have NSG associated with the subnets, you could follow the prerequisites here https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview#network-security-groups-on-the-application-gateway-subnet

Edit

You may have redirection configured on your app service or have Azure Active Directory authentication, which causes the redirection. So when redirection happens, the client makes the request directly to app service URL Path contoso.azurewebsites.net/xxx instead of going through the application gateway URL path contoso.com/xxx.

To fix it, you could use a custom domain name to pass the same host name that the application gateway receives to the app service as well, instead of doing a host override. Get more details about this solution here.