Azure Application Gateway locked down route to app service

Question

I have setup an azure application gateway with web application firewall to route traffic to an azure app service. This requires setting up a VPN. I have followed instructions similar to this: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-powershell

However it doesn't explain how to limit traffic to the app service only via the application gateway.

If I go into app service networking tab there is an option to use VNet integration . I thought this might be a way to lock down access through the gateway to the app service but I can't select the gateway VPN because azure tells me 'This virtual network has no gateway'.

So how to I lock down access to the app service so that only traffic which comes through the gateway can access it?

Answer 1

I have added the following to my ARM template to set up the web.config for the app service:

{
      "type": "Microsoft.Web/sites/config",
      "name": "[variables('website_config')]",
      "apiVersion": "2016-08-01",
     ....
        "ipSecurityRestrictions": [
          {
            "ipAddress": "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))).IpAddress]",
            "subnetMask": "255.255.255.255"
          }
          ] 
      },
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('websites_name'))]",
        "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]"
      ]
     },

The resource public IP addresses is the one set up by the gateway

I can no longer access the app service using the url http://.azurewebsites.net which is what I want. Initially when I accessed the public IP address I get the error message: "502 - Web server received an invalid response while acting as a gateway or proxy server." however after a bit it worked fine.

Answer 2

So how to I lock down access to the app service so that only traffic which comes through the gateway can access it?

Per my understanding, you could do nothing with Application Gateway. But you could leverage IP and Domain Restrictions for azure web sites for allowing the traffic comes through your application gateway to access your azure web app. Here is a similar issue. For a simple way, you could log into azure portal, choose your web app, click "SETTING > Networking" and click Configure IP Restrictions under IP Restrictions section for adding your custom IP Restrictions.

Answer 3

In Azure Portal go to the "Access Restriction" of your Web service. Then choose to access the application only from VNet and subnet where your application gateway resides.