Internal Web servers access from Internet

Jérôme 21 Reputation points


I deploy an architecture on Azure. I have a spoke vnet for DMZ where I have currently 2 Web servers (, The spoke DMZ communicate, via a vnet peering, with our Hub where I deployed a firewall (Palo Alto vm-series) and the Azur Application Gateway. The application gateway is configured with an IP public for the frontend. The backend is configured to forward traffic to the Palo Alto. On the dns public, each entry ( and is registred with the IP public of the application gateway.

My objective is when user, on Internet, will enter or, the trafic will send to the the correct Web server in our DMz. What is your recommandation and is-it the correct approach to cover my needs?


Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
590 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
989 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 38,456 Reputation points Microsoft Employee

    Hi @Jérôme ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to host two applications behind a single App gateway.

    This is achievable by using Multisite Listeners.
    You have to create two Multisite HTTPS Listeners each with the respective FQDN and certificate.

    This document should help you to set up the Applications,
    Refer : Create and configure an application gateway to host multiple web sites using the Azure portal




    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

1 additional answer

Sort by: Most helpful
  1. Lynn Niu 236 Reputation points

    Sounds you should put Firewall before the application gateway, then use multiple listener to traffic to two web servers.
    Also you should set a NAT policy in firewall. The whole path should be:
    client -> firewall -> azure application gateway -> web server1
    client -> firewall -> azure application gateway -> web server2