How to add application gateway to the azure web app service

Question

Hi ,

I have the requirement of setting up a Azure App Gateway to the azure app service to configure a WAF rule to restrict the access from specific regions , so I will deploy an App Gateway with WAF2 and VNET to talk to each other on azure and configure frontend ip and backendpool and add the routing rule later.SO, my question here is the azure app service was existed already and and added the custom domain aswell , upon adding the new frontend public ip in the app gateway do In need to change the frontend public ip of the azure app service to the new frontend ip in the domain provider ? or if I ahve the CNAME record in place for the azure webapp I don't think I have to make any changes here , let me know If I am on the right lane ? anything would need to have a look at ?

Answer 1

Hello ReCloudS

Greetings!
I understand that you want to set up an application gateway in the frontend of your web app service.

The Application Gateway allows you to use an App Service app or other multi-tenant service as a backend pool member. App Service with Application Gateway This article explains how to configure an App Service app with Application Gateway. The configuration will vary based on how the App Service is accessed:

The first option uses a custom domain for both the Application Gateway and the backend App Service.

The second option allows the Application Gateway to access the App Service using its default domain, ending in ".azurewebsites.net".

Note:  You also need to add an A record in the DNS zone pointing to the application gateway frontend IP. Only then will the traffic route via the application gateway. And remove the existing CNAME record those points to the web app in the DNS record.

Check the below reference documents:

• https://learn.microsoft.com/en-us/azure/architecture/best-practices/host-name-preservation
• https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app?tabs=customdomain%2Cazure-portal

---

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

@ReCloudS

You're on the right track. Since your CNAME record is already pointing to your Azure App Service, you don’t need to update anything at your domain provider when introducing the Azure Application Gateway. The CNAME ensures that requests to your custom domain (app.yourdomain.com) resolve to the App Service, and that doesn't change just because you're adding an App Gateway in front of it.

Key Things to Consider:

CNAME Stays the Same

• If your DNS setup uses a CNAME pointing to yourwebapp.azurewebsites.net, you’re good.
  • The App Service’s frontend IP remains the same, and clients will still resolve the domain via DNS.

Configuring App Gateway Backend Pool

• When setting up the backend pool in App Gateway, use the FQDN (yourwebapp.azurewebsites.net), not an IP.
  • If you use private endpoints, you might need an internal VNet integration.
  Ensure Traffic Goes Through App Gateway

  - If you want to **enforce WAF protection**, restrict direct access to the App Service by setting up **Access Restrictions**.
  
     - Allow only traffic coming from the **Application Gateway subnet** and block public access.
  
     **WAF & Region Restriction Rules**
  
        - Define custom WAF policies to block traffic from unwanted regions.
  
           - Monitor WAF logs in **Azure Monitor** or **Log Analytics** to confirm it's working as expected.
  

When Would You Need a DNS Update?

• If you were using an A record (pointing to an IP instead of a CNAME), then you’d need to update it.
• If you wanted to force all traffic through the App Gateway, you could update the CNAME to point to the App Gateway’s frontend domain instead.You're on the right track. Since your CNAME record is already pointing to your Azure App Service, you don’t need to update anything at your domain provider when introducing the Azure Application Gateway. The CNAME ensures that requests to your custom domain (app.yourdomain.com) resolve to the App Service, and that doesn't change just because you're adding an App Gateway in front of it. Key Things to Consider:
  1. CNAME Stays the Same
     • If your DNS setup uses a CNAME pointing to yourwebapp.azurewebsites.net, you’re good.
     • The App Service’s frontend IP remains the same, and clients will still resolve the domain via DNS.
  2. Configuring App Gateway Backend Pool
     • When setting up the backend pool in App Gateway, use the FQDN (yourwebapp.azurewebsites.net), not an IP.
     • If you use private endpoints, you might need an internal VNet integration.
  3. Ensure Traffic Goes Through App Gateway
     • If you want to enforce WAF protection, restrict direct access to the App Service by setting up Access Restrictions.
     • Allow only traffic coming from the Application Gateway subnet and block public access.
  4. WAF & Region Restriction Rules
     • Define custom WAF policies to block traffic from unwanted regions.
     • Monitor WAF logs in Azure Monitor or Log Analytics to confirm it's working as expected.
  When Would You Need a DNS Update?
  • If you were using an A record (pointing to an IP instead of a CNAME), then you’d need to update it.
  • If you wanted to force all traffic through the App Gateway, you could update the CNAME to point to the App Gateway’s frontend domain instead.

If you found it helpful, could you kindly click the “Accept Answer and upvote” on the post.

If you have any further queries, please let us know we are glad to help you.