Restrict access from app service to app gateway, Static VIP restriction or Service endpoint ?

Alexandre 51 Reputation points
2021-05-01T07:05:31.727+00:00

Hello,

I have an application gateway with WAFV2 enabled.
I have an azure app service set as a backend pool.
I want to allow access to that app service only from the application gateway, so I can enforce WAF policies.

I wonder if there is any differences between :

In terms of :

  • Security ?
  • Networking ? (path used by requests sent to application gateway)
  • Pricing ?

Thanks a lot for your answers.
Alexandre

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,454 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,071 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,778 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ryan Hill 28,191 Reputation points Microsoft Employee
    2021-05-04T03:11:48.637+00:00

    Hi @alexmass,

    I'll do my best to address your questions.

    Security?

    Both will restrict what traffic makes its way to your app service. Your app service will only respond to traffic you designated, whether it's IP or Service Endpoint

    Networking? (path used by requests sent to application gateway)

    Using Service Endpoint will gain advantage as the traffic request traverses the Azure backbone, see https://learn.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints#integration-with-app-service-multi-tenant. When it comes to VIP, I'm not exactly sure if there's any efficiencies, but I would error to say no. More than likely, the traffic will out to the internet and back in from a routing standpoint. You could circumvent this by using a private endpoint on the App Service.

    Pricing ?

    Your costs will come from the SKUs of the App Gateway and App Service. From what you've stated, I don't think you will need a private endpoint; see https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint, but there is a cost associated if you go that route.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Richard Parkins 1 Reputation point
    2022-10-13T16:57:31.547+00:00

    Hi

    If the App gateway and web app are within the same VNET, would traffic stay within the Azure networks. I am think I would just need IP restrictions on the web app and NSG's on each subnet

    Am I missing something?? :)

    Edit: suddenly realised that its not in same subnet and need private endpoint to keep the traffic in the network. My first consideration was to just use ip restrictions but seems like a cost issue for bandwidth inside to outside and back to inside with just restrictions..

    Many thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.