Add Application Gateway to the current setup & NSG

Question

I have one Azure subscription with two resource groups (A and B). Each resource group contains two servers:

• App Server – hosts an application (currently map with DNS Public IP).

DB Server – backend database server (no direct Internet access).

The App Server requires outbound Internet access for updates, but the DB Server should remain private.

---

Current Network Security Group (NSG) Configuration

App Server NSG

Inbound Rules

Priority	Name	Port(s)	Protocol	Source	Destination	Action	Description
1000	VPN-MT	22, 443	TCP	192.168.1.0/24	ASG-MT	Allow	Allow management/VPN access
1000	VPN-MT	22, 443	TCP	192.168.1.0/24	ASG-MT	Allow	Allow management/VPN access
1100	MT-INT	443	TCP	Internet	ASG-MT	Allow	App accessible via Internet
1110	MGW-MT	Any	Any	10.10.10.4,	-10.10.10.5	Allow	Internal MGW communication
4096	DenyAll-Inbound	Any	Any	Any	Any	Deny	Default deny rule

Outbound Rules

Priority	Name	Port(s)	Protocol	Source	Destination	Action	Description
1100	MTtoINT	80, 443	TCP	ASG-MT	Internet	Allow	Allow app Internet access
1100	MTtoINT	80, 443	TCP	ASG-MT	Internet	Allow	Allow app Internet access
1200	MT-DB	1521	TCP	ASG-MT	ASG-DB	Allow	Allow DB connection
4096	DenyAll-Outbound	Any	Any	Any	Any	Deny	Default deny rule

---

DB Server NSG

Inbound Rules

Priority	Name	Port(s)	Protocol	Source	Destination	Action	Description
1000	VPN-DB	22,1521	TCP	192.168.1.0/24	10.10.1.6	Allow	VPN/DB access
1000	VPN-DB	22,1521	TCP	192.168.1.0/24	10.10.10.6	Allow	VPN/DB access
1100	MT-DB	1521	TCP	ASG-MT	ASG-DB	Allow	App → DB communication
1101	DBUATtoDBCFG	1521	Any	ASG-DB-UAT	ASG-DB	Allow	DB inter-env communication
1200	MGT-DB	22	TCP	10.10.10.4	10.10.10.6	Allow	Management SSH access
1300	MGT-DB2	1521,5901,5902	TCP	10.10.10.4	10.10.10.6	Allow	Admin tool access
4096	DenyAll-Inbound	Any	Any	Any	Any	Deny	Default deny rule

Outbound Rules

Priority	Name	Port(s)	Protocol	Source	Destination	Action	Description
1100	DB-ALLOW	443	TCP	ASG-DB	Internet	Allow	DB outbound for updates
1100	DB-ALLOW	443	TCP	ASG-DB	Internet	Allow	DB outbound for updates
1300	DB-INT-DENY	80,443	Any	ASG-DB	Internet	Deny	Block unwanted Internet traffic
1301	DBtoDB	1521	Any	ASG-DB	ASG-DB-UAT	Allow	Inter-DB communication
4096	DenyAll-Outbound	Any	Any	Any	Any	Deny	Default deny rule

I want to add an Application Gateway to this architecture to securely expose the App Server to the Internet and make use of its advanced features. Could you please provide the required NSG rules and the configuration steps for setting up the Application Gateway?

Answer 1

Hello Mihiran Priyankara

Below is a clean, Azure‑recommended way to insert Application Gateway (WAF_v2) in front of your App Servers, keep DB Servers private, and tighten NSGs—plus the exact rule sets and step‑by‑step configuration you can follow.

---

1. Target Architecture

• Dedicated subnet for Application Gateway (e.g., ApplicationGatewaySubnet, /24 recommended for v2 SKUs). App Gateway must live in a dedicated subnet and be in the same virtual network as the private backends it will reach.
• App Server subnets remain private (no public IPs on VMs). All Internet ingress flows terminate on the App Gateway; the gateway then reaches App VMs on private IPs.
• DB Server subnets stay private; only App Server(s) reach DB port(s).
• Outbound for App/DB: use NAT Gateway on those subnets (best practice) or Azure Firewall if you need inspection. Do not block outbound on the App Gateway subnet—that breaks WAF_v2/fast‑update validation.

---

2. NSG rule sets you can apply

The lists below assume:

• App Gateway frontend listens on 80/443.
• Backends are your App Servers over HTTP/HTTPS (adjust the ports if your app differs).
• DB listens on TCP 1521 (as in your current rules).

A. NSG for ApplicationGatewaySubnet (attach to the App Gateway subnet)

allow Internet to hit the gateway’s listeners; allow Azure control-plane and probes; don’t block required outbound.

Inbound (allow):

1. Internet → 80/443 (TCP) — users reach the gateway
   • Source: Internet, Dest: ApplicationGatewaySubnet, Ports: 80,443, Protocol: TCP, Action: Allow, Priority: 100
2. Azure Load Balancer probes — health/probe traffic
   • Source: AzureLoadBalancer service tag, Dest: ApplicationGatewaySubnet, Port: 443 (and any health probe you configure), Protocol: TCP, Action: Allow, Priority: 110
3. GatewayManager control‑plane — required for v2 SKUs
   • Source: GatewayManager service tag, Dest: ApplicationGatewaySubnet, Ports: 65200-65535, Protocol: Any, Action: Allow, Priority: 120

Inbound (deny all):

• DenyAll-Inbound — Any/Any, Priority 4096 (your default)

Outbound (allow):

1. ApplicationGatewaySubnet → Internet — must remain allowed for WAF_v2/fast updates
   • Source: ApplicationGatewaySubnet, Dest: Internet, Ports: Any, Protocol: Any, Action: Allow, Priority: 100
2. ApplicationGatewaySubnet → VirtualNetwork — to reach your backends (App Servers)
   • Source: ApplicationGatewaySubnet, Dest: VirtualNetwork, Ports: Any, Protocol: Any, Action: Allow, Priority: 110

Important: Avoid a “DenyAll‑Outbound” on the App Gateway subnet. Validation fails for v2/fast‑update if outbound is blocked—even if you think “Internet” is still allowed. Leave outbound open or control egress via Azure Firewall/NAT Gateway on other subnets.

Refer: https://learn.microsoft.com/en-us/answers/questions/718332/application-gateway-fails-to-be-built-where-a-nsg

---

B. NSG for App Server subnet(s) (attach to subnets with App VMs)

Goal: only traffic from the App Gateway subnet should reach the app; allow app → DB; allow controlled outbound (updates) via NAT/FW.

Inbound (allow):

1. From App Gateway → App ports
   • Source: CIDR of ApplicationGatewaySubnet (the gateway’s subnet; probes/data path originate here for private backends), Dest: App subnet or ASG-MT, Ports: your app ports (e.g., 80,443), Protocol: TCP, Action: Allow, Priority: 100

Refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-probe-overview

1. From on‑prem/VPN for admin (if needed)
   • Source: 192.168.1.0/24, Dest: App subnet/ASG-MT, Ports: 22,443, Protocol: TCP, Action: Allow, Priority: 200

Inbound (deny catch‑all):

• DenyAll-Inbound, Priority 4096

Outbound (allow):

1. App → DB
   • Source: App subnet/ASG-MT, Dest: DB subnet/ASG-DB, Port: 1521, Protocol: TCP, Action: Allow, Priority: 100
   1. App → Internet (updates) — ideally via NAT Gateway on the App subnet
      • Source: App subnet/ASG-MT, Dest: Internet, Ports: 80,443, Protocol: TCP, Action: Allow, Priority: 200

Outbound (deny catch‑all):

• DenyAll-Outbound, Priority 4096 (safe on App subnets; the NAT/FW rules still work)

---

C. NSG for DB Server subnet(s)

only the App tier and approved admin sources reach DB; controlled outbound (updates) as you require.

Inbound (allow):

1. App → DB
   • Source: App subnet/ASG-MT, Dest: DB subnet/ASG-DB, Port: 1521, Protocol: TCP, Action: Allow, Priority: 100
   1. Admin/VPN (SSH) (if you truly need it)
      • Source: 192.168.1.0/24 (or your jump host), Dest: DB subnet/ASG-DB, Port: 22, Protocol: TCP, Action: Allow, Priority: 200

Inbound (deny catch‑all):

• DenyAll-Inbound, Priority 4096

Outbound (allow/deny):

• If DB needs patching via Internet:
  • Allow Dest: Internet, Port: 443, Protocol: TCP, Priority 110
    • Deny Dest: Internet, Port: 80, Protocol: Any, Priority 120 (so HTTPS updates are allowed, HTTP blocked)
    • Inter‑DB (UAT ↔ CFG etc.) as required:
      • Allow Dest: ASG-DB-UAT, Port: 1521, Protocol: Any, Priority 130
      • DenyAll-Outbound, Priority 4096

Clean up duplicates in your current NSGs (you have repeated rules). Keep priorities so the HTTPS allow precedes any broader Internet deny.

---

I hope this was helpful!

If the above is unclear or you are unsure about something, please add a comment below.