Implementing Azure Best practices for Azure Networking

Question

So I am trying to implement Azure best practices for Azure networking. We have two app services running in two different regions in Azure. The goal is to restrict public ips and replace them with private ips/endpoints. But every time we implement one remote endpoint on one app service, the other isn't accessible through the application gateway, and vice versa.

Image of what we're trying to achieve:

As one can see, we're trying to create a bit of redundancy so that if one app service goes down in the Eastern region, the other in the West US 2 region will still be able to support requests to our app services.

My question or requested guidance: What can I do to ensure that both app services can be accessed through one application gateway with one public ip that connects to two private endpoints to two different app services?

Answer 1

Hei @Jonah White

Thanks for reaching out.

As i understand, you are trying to create redundant solution with Azure Application Gateway as a public endpoint.

These endpoints will not be accessible directly and asi can see they have a private endpoint attached ot them.

This is a direct case for Azure front door.

I am not sure if you are aware about this product but this is essentially used for such cases.

Front door has WAF (web application firewall) and geo redundancy built in.

Probably more economical than Azure Application Gateway.

Front door solution for the issue you have: Front door solution

How to choose the correct load balancer solution: Load balancer choice map

Please "Mark it as answer" if it helped.

Answer 2

Hello @Jonah White ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to achieve multi-region load balancing for 2 private app services running in 2 different Azure regions with automatic failover mechanism in case one of the regions go down.

To begin with, Application Gateway is a regional service which allows you to distribute traffic within virtual networks across virtual machines (VMs) or zonal and zone-redundant service endpoints within a region.

Refer: https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

Even though the Application gateway v2 SKU offers private connectivity from other virtual networks in other regions and subscriptions through the use of private endpoints, it will not support automatic failover or redundancy by itself. You will need to use Traffic Manager to distribute traffic across multiple application gateways in different datacenters.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/private-link

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#how-do-i-achieve-a-dr-scenario-across-datacenters-by-using-application-gateway

https://learn.microsoft.com/en-us/azure/architecture/high-availability/reference-architecture-traffic-manager-application-gateway

I contacted the Azure Application gateway Product Group team for your issue where one of the app services isn't accessible through the application gateway and below are their inputs:

Application Gateway is a regional service. If the customer is trying to build a DR solution to anticipate a region failure, they should provision a secondary Application Gateway in the DR region and front them with Traffic Manager to coordinate failover.

That being said, Application Gateway will initiate traffic to whatever backend target as long as the virtual network allows connectivity to it i.e., if the backend is a private endpoint that ultimately points to a resource in the same region or a different region, Application Gateway would try to initiate connections in both cases. If the backend is an App Service, AppGW will initiate connections to it, provided the App Service firewall allows it or NSG rules on the subnet allow it. If the backend is a VM, VMSS; same applies; check NSG / Route Table rules, and if connectivity is enabled, AppGW will initiate requests accordingly.

Coming back to your original goal, if DR is your objective, then Azure Front Door would be a better alternative option for your setup rather than using 2 Application gateways and 1 Traffic Manager. Front Door is a global service which allows to load balance between your different resources across regions.

Azure Front Door Premium supports Private link. Azure Front Door Premium can connect to your origin using Private Link. Origin support for direct private endpoint connectivity is currently limited to:

• Storage (Azure Blobs)
• App Services
• Internal load balancers.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/private-link

https://learn.microsoft.com/en-us/azure/frontdoor/create-front-door-portal

You can configure Azure Front Door Premium tier to connect to your App service privately using the Azure Private Link service.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-web-app

Same can be replicated to connect to 2 different app services in 2 different regions.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/private-link#association-of-a-private-endpoint-with-an-azure-front-door-profile

Azure Front Door uses domains to receive your application's traffic. You can configure a custom domain (your own domain name) in the Front Door if required.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/domain

https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.