Welcome to the Microsoft Q&A forum.
I think the best way to implement the required restriction will be to
- Use Custom rules for Web Application Firewall v2 to apply the IP restriction. You can refer to this example here and use WAF custom rules to allow certain IP addresses to communicate with the Application Gateway.
- Configure per-site WAF policies to apply WAF policies to individual listeners to allow for site-specific WAF configuration. As you need IP restrictions above for (pod1 and pod2) only you can implement a separate WAF policy which will contain the custom rule above to apply the restrictions. For pod3 you can have a different WAF policy to allow communication as per your requirements.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.