My organization has decided to utilize private endpoint on all of our PaaS services when possible, with the end goal of filtering traffic through our NGFWs. We currently have a ELB and ILB sandwich configured which is currently servicing our internal communication requirements, but are looking to expose our private linked Azure functions apps to the internet to service some public web clients. My understanding is that we would need a Azure Application Gateway in front of the NGFWs to service these requests and translate them to our internal function apps. I need to service these HTTPS requests as well as support legacy protocols including FTP, SFTP, etc into the Azure vNets. I am looking to see if my assumptions are correct, and if it is possible to have a Azure Application Gateway and a External Load balancer both sit in front of the NGFWs and service requests for both of these use cases. Thanks for any assistance!

@Chris Brien (CPower) , PLS can only be linked to a Standard Load balancer. You cannot link a PLS to an Application Gateway as of today. You can have NGFW as part of Load Balancer and Application gateway. But the Private Link traffic cannot be sent via Application gateway. That can only pass via Load Balancer. Hope this answers your question. Regards, Karthik Srinivas

Expose private link HTTPS and Non HTTPS ports from NGFW LB Sandwich

Accepted answer

msrini-MSFT 9,256 Reputation points Microsoft Employee

2022-01-12T12:14:35.59+00:00

@Chris Brien (CPower) ,

PLS can only be linked to a Standard Load balancer. You cannot link a PLS to an Application Gateway as of today.

You can have NGFW as part of Load Balancer and Application gateway. But the Private Link traffic cannot be sent via Application gateway. That can only pass via Load Balancer.

Hope this answers your question.

Regards,
Karthik Srinivas
Please sign in to rate this answer.

1 person found this answer helpful.
Chris Brien (CPower) 21 Reputation points

2022-01-12T14:32:04.957+00:00

Thank you for your response, I assume there is a way then through a Standard LB to present a PLS to the internet via a pubilic DNS record? My reading seemed to indicate that a AGW was needed to do this translation for PLS.

Thanks

msrini-MSFT 9,256 Reputation points Microsoft Employee

2022-01-12T17:11:12.67+00:00

Can you share me the doc you read that indicated that you need Application Gateway for translation of PLS ?

Chris Brien (CPower) 21 Reputation points

2022-01-12T18:18:37.567+00:00

Sorry Karthik, I may have confused all PLS with APIM. My particular use case is to expose a APIM instance to the internet from a LB sandwich. It seems like you would need to utilize an application gateway to do this in front of the NGFWs, or is it possible via a standard load balancer? https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

I assume this requirement would also hold true for PLS function apps, or web apps? Do you have any documentation that could explain how to expose a PLS with a SLB as you suggested?

Thanks

msrini-MSFT 9,256 Reputation points Microsoft Employee

2022-01-13T08:02:43.543+00:00

Doc: https://learn.microsoft.com/en-us/azure/private-link/create-private-link-service-portal

Chris Brien (CPower) 21 Reputation points

2022-01-13T14:29:35.19+00:00

This solution appears to facilitate local network access to a PLS, but would this solution also allow internet based access if a PIP was assigned to the SLB?

msrini-MSFT 9,256 Reputation points Microsoft Employee

2022-01-13T14:37:24.9+00:00

You can choose Public Load Balancer or Internal Load Balancer.
Sign in to comment

Expose private link HTTPS and Non HTTPS ports from NGFW LB Sandwich

0 additional answers