Application gateway backend targets

Eddie Vincent 0 Reputation points
2024-04-30T14:56:52.0233333+00:00

Hi,

Hopefully someone can assist me with this question which I cannot find a solution for currently. I am configuring something like the following: https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal#add-app-service-as-backend-pool

I have an Application gateway which works perfectly fine when redirecting traffic through it and load balancing on the back end with virtual machines. It currently has a front end SSL certificate with custom domain name (this works).

However when I create a static web app and try and use this as a backend target it does not appear in the below "target" area no matter which settings I toggle (please note that the gateway is the correct V2 SKU).

User's image

I read that the app and gateway must be in the same region so moved the gateway to "West Europe" but still no luck. Also like the above guide I have tried configuring Azure DNS as well but this also does not cause the App service to appear.

Any thoughts or guidance would be well received.

Thanks,

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,081 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
968 questions
{count} votes

3 answers

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
    2024-05-04T00:13:16.05+00:00

    @Eddie Vincent

    Thank you for getting back.

    Not sure if you tried the PowerShell method mentioned in my comment above or else tried adding the App service using its FQDN or its IP address. As documented here for App Gateway the backend pools can be across clusters, across datacenters, or outside Azure, as long as there's IP connectivity.If you are able to add the app service as backend pool member using its FQDN or its IP address then this is a Portal issue and as we were unable to reproduce the issue on our end, a support request will be required to resolve this issue. It will help if you could file support request for this issue and also share the browser trace with the support engineer to help troubleshoot this issue. Please let me know if you need any help in creating the support request.

    If you are unable to add the app service as backend pool member using its FQDN or its IP address then please share the error observed as it will help further troubleshoot this issue.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    0 comments No comments

  2. Eddie Vincent 0 Reputation points
    2024-05-14T10:51:46.3133333+00:00

    Hi @ChaitanyaNaykodi-MSFT

    Thanks for the response, I have tested this out and it has worked... kind of.

    So when I PowerShell the process, in the portal it adds in the app however it doesn't show as an "App" but as a target IP/FQDN not App service. Please note again for the below point I am using a static web app.

    If I add in (for example) a function app then it shows in the drop down (as below) so I am thinking that this option probably does not work for static web apps - however if you (or anyone) has been able to achieve this then I am all ears as to what the issue might be.

    User's image

    Additionally is there also a way to "mask" the FQDN of the web app behind the application gateway so that you cannot simply by-pass this and go directly to the app FQDN?

    I presume I would need to use private link achieve this but again I am open to any other ideas if available.

    Thanks,


  3. Eddie Vincent 0 Reputation points
    2024-06-11T07:57:40.64+00:00

    Hi,

    Just for reference regarding the secondary question above "masking the backend" (webapp) FQDN, I have been able to achieve this with a combination of the following 2 configuration steps:

    Web application (Networking/Access restrictions): Disable this setting and disallow access from public networksUser's image

    This setting disallows any access to the FQDN of the web application (Azure FQDN) from public networks.

    Private endpoint:

    A private endpoint connection from the web application to that linked to the Application gateway.

    User's image

    Most of these details can be found here: https://learn.microsoft.com/en-us/azure/app-service/overview-app-gateway-integration with network diagram below.

    image.png

    As per the above guide this blocks any access to the web application with a 403 forbidden allowing access via the FQDN linked to the front end of the application gateway.

    User's image

    Happy to close this string/post as the issue is now resolved.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.