How do I whitelist a single IP and restrict internet traffic to a web role at a Cloud Service extended support

Question

I'm migrating an old classic webrole-cloud service serving as an API to the new Extended support (CSES).

We want to put this migrated service CSES behind our current Application gateway (APGW)/Firewall policies (WAF).

I'm thinking on redeploying the classic service as an CSES, but the part that we are trying to figure out is the routing of the traffic.

We have our APGW/WAF and its associated public IP in a separate subscription from where we have our cloud services, as the CSES (which it also needs its own dedicated public ip) will be in a different subscription, I will route the traffic from our IP-APGW-WAF to the CSES-IP, but then the CSES must then only allow traffic from this single IP... how can this be achieved ?... blocking internet traffic to the CSES and only whitelisting the APGW/IP ? network security group ?

Public-IP -> APGW/WAF -> CSES-IP -> CSES

Answer 1

Hello @Adonis Briceno ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to put your migrated Cloud Service (extended support) behind your current Application gateway and want to block internet traffic to the CSES and only whitelist the Application gateway IP for inbound connectivity.

As mentioned in the How an application gateway routes a request doc,

If the backend pool:

• Is a public endpoint, the application gateway uses its frontend public IP to reach the server.
• Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses.
• Contains an external endpoint or an externally resolvable FQDN, the application gateway routes the request to the backend server by using its frontend public IP address.

Application gateway allows public IP addresses as backend pool.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-components#backend-pools

In your case, if the CSES has a dedicated Public IP and you configure the backend pool of your Application gateway with this Public IP, then, yes, you can whitelist the Application gateway IP using NSG on the CSES and block all other traffic.

So, the NSG on your CSES should contain the below rules:

• allow traffic from Application gateway Public IP on the configured listener port.
• allow any traffic from AzureLoadBalancer service tag (needed for probes).
• allow RDP traffic from specific IP (if required).
• deny all Internet traffic.

Refer the below doc to see how NSG is configured for Azure Cloud Services (extended support):

https://learn.microsoft.com/en-us/troubleshoot/azure/cloud-services/intermittent-connection-failures-rdp#solution

Additional Info:

Load balancers, network security groups and route tables need to live in the same region, resource group & virtual network as the Cloud Services (extended support).

Refer: https://learn.microsoft.com/en-us/azure/cloud-services-extended-support/faq#resources

Application Gateway is not supported for in-place migration. You need to remove the Application Gateway before beginning migration and then recreate the Application Gateway once migration is completed to Azure Resource Manager.

Refer: https://learn.microsoft.com/en-us/azure/cloud-services-extended-support/in-place-migration-technical-details#resources-and-features-not-available-for-migration

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.