Hi @Jag Sandhu ,
You don't need the Premium v2 or higher SKU to get Regional VNet. It's available on Standard if your app service plan is on the newer scale unit; see Limitations for more details. If your plan is standard and you don't see the option, create a Pv3 plan scale it back down standard. With the regional VNet, you can restrict traffic so that your backend API only receives traffic from your front end. If all you have is a front end and backend app service within the same region, I would start there before considering adding AppGw with a WAF. I listed some additional docs:
- Tutorial: Authenticate users E2E - If you don't have anything setup yet, this a great tutorial to start with. After completing this, just add both app services to the VNet and restrict traffic to the back end.
- Application Gateway Integration - After completing the tutorial above, and integrating your app services within a VNet, you can add application gateway if you choose and configuring it to use service endpoints, no need to setup pools unless if you intend to use different services.
- DDoS FAQ - If you haven't seen this yet, I encourage you to check it out. Azure services by default are protected by DDoS at an infrastructure level but not at an app service level. If you do have concerns about DDoS on your service, then adding a DDoS protection service to your AppGW and WAF is something to consider.