Application gateway backend targets

Question

Hi,

Hopefully someone can assist me with this question which I cannot find a solution for currently. I am configuring something like the following: https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal#add-app-service-as-backend-pool

I have an Application gateway which works perfectly fine when redirecting traffic through it and load balancing on the back end with virtual machines. It currently has a front end SSL certificate with custom domain name (this works).

However when I create a static web app and try and use this as a backend target it does not appear in the below "target" area no matter which settings I toggle (please note that the gateway is the correct V2 SKU).

I read that the app and gateway must be in the same region so moved the gateway to "West Europe" but still no luck. Also like the above guide I have tried configuring Azure DNS as well but this also does not cause the App service to appear.

Any thoughts or guidance would be well received.

Thanks,

Answer 1

@Eddie Vincent

Thank you for getting back.

Not sure if you tried the PowerShell method mentioned in my comment above or else tried adding the App service using its FQDN or its IP address. As documented here for App Gateway the backend pools can be across clusters, across datacenters, or outside Azure, as long as there's IP connectivity.If you are able to add the app service as backend pool member using its FQDN or its IP address then this is a Portal issue and as we were unable to reproduce the issue on our end, a support request will be required to resolve this issue. It will help if you could file support request for this issue and also share the browser trace with the support engineer to help troubleshoot this issue. Please let me know if you need any help in creating the support request.

If you are unable to add the app service as backend pool member using its FQDN or its IP address then please share the error observed as it will help further troubleshoot this issue.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Answer 2

Hi @ChaitanyaNaykodi-MSFT

Thanks for the response, I have tested this out and it has worked... kind of.

So when I PowerShell the process, in the portal it adds in the app however it doesn't show as an "App" but as a target IP/FQDN not App service. Please note again for the below point I am using a static web app.

If I add in (for example) a function app then it shows in the drop down (as below) so I am thinking that this option probably does not work for static web apps - however if you (or anyone) has been able to achieve this then I am all ears as to what the issue might be.

Additionally is there also a way to "mask" the FQDN of the web app behind the application gateway so that you cannot simply by-pass this and go directly to the app FQDN?

I presume I would need to use private link achieve this but again I am open to any other ideas if available.

Thanks,

Answer 3

Hi,

Just for reference regarding the secondary question above "masking the backend" (webapp) FQDN, I have been able to achieve this with a combination of the following 2 configuration steps:

Web application (Networking/Access restrictions): Disable this setting and disallow access from public networks

This setting disallows any access to the FQDN of the web application (Azure FQDN) from public networks.

Private endpoint:

A private endpoint connection from the web application to that linked to the Application gateway.

Most of these details can be found here: https://learn.microsoft.com/en-us/azure/app-service/overview-app-gateway-integration with network diagram below.

As per the above guide this blocks any access to the web application with a 403 forbidden allowing access via the FQDN linked to the front end of the application gateway.

Happy to close this string/post as the issue is now resolved.