Share via

Implementing Azure Best practices for Azure Networking

Jonah White 20 Reputation points
May 9, 2023, 4:15 PM

So I am trying to implement Azure best practices for Azure networking. We have two app services running in two different regions in Azure. The goal is to restrict public ips and replace them with private ips/endpoints. But every time we implement one remote endpoint on one app service, the other isn't accessible through the application gateway, and vice versa.

Image of what we're trying to achieve:

User's image

As one can see, we're trying to create a bit of redundancy so that if one app service goes down in the Eastern region, the other in the West US 2 region will still be able to support requests to our app services.

My question or requested guidance: What can I do to ensure that both app services can be accessed through one application gateway with one public ip that connects to two private endpoints to two different app services?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,554 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,090 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,052 questions
{count} votes

2 answers

Sort by: Most helpful
  1. dashanan13 930 Reputation points
    May 10, 2023, 12:34 PM

    Hei @Jonah White

    Thanks for reaching out.

    As i understand, you are trying to create redundant solution with Azure Application Gateway as a public endpoint.

    These endpoints will not be accessible directly and asi can see they have a private endpoint attached ot them.

    This is a direct case for Azure front door.

    I am not sure if you are aware about this product but this is essentially used for such cases.

    Front door has WAF (web application firewall) and geo redundancy built in.

    Probably more economical than Azure Application Gateway.

    Front door solution for the issue you have: Front door solution

    How to choose the correct load balancer solution: Load balancer choice map

    Please "Mark it as answer" if it helped.

    enter image description here

    0 comments No comments

  2. GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee
    May 12, 2023, 11:16 AM

    Hello @Jonah White ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are trying to achieve multi-region load balancing for 2 private app services running in 2 different Azure regions with automatic failover mechanism in case one of the regions go down.

    To begin with, Application Gateway is a regional service which allows you to distribute traffic within virtual networks across virtual machines (VMs) or zonal and zone-redundant service endpoints within a region.

    Refer: https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

    Even though the Application gateway v2 SKU offers private connectivity from other virtual networks in other regions and subscriptions through the use of private endpoints, it will not support automatic failover or redundancy by itself. You will need to use Traffic Manager to distribute traffic across multiple application gateways in different datacenters.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/private-link

    https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#how-do-i-achieve-a-dr-scenario-across-datacenters-by-using-application-gateway

    https://learn.microsoft.com/en-us/azure/architecture/high-availability/reference-architecture-traffic-manager-application-gateway

    I contacted the Azure Application gateway Product Group team for your issue where one of the app services isn't accessible through the application gateway and below are their inputs:

    Application Gateway is a regional service. If the customer is trying to build a DR solution to anticipate a region failure, they should provision a secondary Application Gateway in the DR region and front them with Traffic Manager to coordinate failover.

    That being said, Application Gateway will initiate traffic to whatever backend target as long as the virtual network allows connectivity to it i.e., if the backend is a private endpoint that ultimately points to a resource in the same region or a different region, Application Gateway would try to initiate connections in both cases. If the backend is an App Service, AppGW will initiate connections to it, provided the App Service firewall allows it or NSG rules on the subnet allow it. If the backend is a VM, VMSS; same applies; check NSG / Route Table rules, and if connectivity is enabled, AppGW will initiate requests accordingly.

    Coming back to your original goal, if DR is your objective, then Azure Front Door would be a better alternative option for your setup rather than using 2 Application gateways and 1 Traffic Manager. Front Door is a global service which allows to load balance between your different resources across regions.

    Azure Front Door Premium supports Private link. Azure Front Door Premium can connect to your origin using Private Link. Origin support for direct private endpoint connectivity is currently limited to:

    • Storage (Azure Blobs)
    • App Services
    • Internal load balancers.

    Refer: https://learn.microsoft.com/en-us/azure/frontdoor/private-link

    https://learn.microsoft.com/en-us/azure/frontdoor/create-front-door-portal

    You can configure Azure Front Door Premium tier to connect to your App service privately using the Azure Private Link service.

    Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-web-app

    Same can be replicated to connect to 2 different app services in 2 different regions.

    Refer: https://learn.microsoft.com/en-us/azure/frontdoor/private-link#association-of-a-private-endpoint-with-an-azure-front-door-profile

    Azure Front Door uses domains to receive your application's traffic. You can configure a custom domain (your own domain name) in the Front Door if required.

    Refer: https://learn.microsoft.com/en-us/azure/frontdoor/domain

    https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.