Hello @Jonah White ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are trying to achieve multi-region load balancing for 2 private app services running in 2 different Azure regions with automatic failover mechanism in case one of the regions go down.
To begin with, Application Gateway is a regional service which allows you to distribute traffic within virtual networks across virtual machines (VMs) or zonal and zone-redundant service endpoints within a region.
Refer: https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview
Even though the Application gateway v2 SKU offers private connectivity from other virtual networks in other regions and subscriptions through the use of private endpoints, it will not support automatic failover or redundancy by itself. You will need to use Traffic Manager to distribute traffic across multiple application gateways in different datacenters.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/private-link
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#how-do-i-achieve-a-dr-scenario-across-datacenters-by-using-application-gateway
https://learn.microsoft.com/en-us/azure/architecture/high-availability/reference-architecture-traffic-manager-application-gateway
I contacted the Azure Application gateway Product Group team for your issue where one of the app services isn't accessible through the application gateway and below are their inputs:
Application Gateway is a regional service. If the customer is trying to build a DR solution to anticipate a region failure, they should provision a secondary Application Gateway in the DR region and front them with Traffic Manager to coordinate failover.
That being said, Application Gateway will initiate traffic to whatever backend target as long as the virtual network allows connectivity to it i.e., if the backend is a private endpoint that ultimately points to a resource in the same region or a different region, Application Gateway would try to initiate connections in both cases. If the backend is an App Service, AppGW will initiate connections to it, provided the App Service firewall allows it or NSG rules on the subnet allow it. If the backend is a VM, VMSS; same applies; check NSG / Route Table rules, and if connectivity is enabled, AppGW will initiate requests accordingly.
Coming back to your original goal, if DR is your objective, then Azure Front Door would be a better alternative option for your setup rather than using 2 Application gateways and 1 Traffic Manager. Front Door is a global service which allows to load balance between your different resources across regions.
Azure Front Door Premium supports Private link. Azure Front Door Premium can connect to your origin using Private Link.
Origin support for direct private endpoint connectivity is currently limited to:
- Storage (Azure Blobs)
- App Services
- Internal load balancers.
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/private-link
https://learn.microsoft.com/en-us/azure/frontdoor/create-front-door-portal
You can configure Azure Front Door Premium tier to connect to your App service privately using the Azure Private Link service.
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-web-app
Same can be replicated to connect to 2 different app services in 2 different regions.
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/private-link#association-of-a-private-endpoint-with-an-azure-front-door-profile
Azure Front Door uses domains to receive your application's traffic. You can configure a custom domain (your own domain name) in the Front Door if required.
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/domain
https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.