To achieve your scenario, you can use Azure Private Link or Azure Private Endpoint, along with Azure Application Gateway, to create a secure and private connection between your frontend web app and the backend web apps.
Here's a high-level overview of the steps to follow:
- Set up Azure Private Link or Private Endpoint for your backend web apps:
- In each backend web app, create a Private Endpoint in the same virtual network as your frontend web app.
- The Private Endpoint will establish a private IP address for each backend web app within the virtual network.
- Restrict access to your backend web apps:
- In each backend web app, configure the Access Restrictions to allow traffic only from your virtual network.
- You can add the frontend web app's outbound IP addresses to the allowed list as well, to ensure it can access the backend web apps.
- Set up Azure Application Gateway with a Web Application Firewall (WAF) for your frontend web app:
- Create an Azure Application Gateway instance in the same virtual network as your frontend and backend web apps.
- Configure the Application Gateway to use the private IP addresses of your backend web apps as the backend pool.
- Set up the frontend listener and the routing rules to forward traffic to the appropriate backend web app based on the request.
- Enable the WAF to protect your frontend web app against common web vulnerabilities.
- Update your DNS settings:
- Configure your custom domain to point to the public IP address of the Azure Application Gateway.
- Update the DNS settings of your backend web apps to use their private IP addresses.
- Test your setup:
- Verify that your frontend web app can access the backend web apps using their private IP addresses.
- Ensure that the backend web apps are not accessible from the public internet.
By following these steps, you will create a secure and private connection between your frontend web app and your backend web apps, allowing only the frontend web app to access the backend web apps.