What NSG rules can be applied for Hub/Spoke/AppGw scenario?

Question

I have an AppService deployed in a Spoke Vnet (with a Private Endpoint). In front of this is an AppGw (in the Hub Vnet).

It seems that it's not possible to control the AppGw outbound traffic with the Azure Firewall. I would therefore like to control it with an NSG in the Spoke Vnet directly where I have my private endpoint. (I want to only allow the green line)

However, I cannot figure out what rules I should put in place. As soon as I disable VNET to VNET traffic in the NSG, my AppGw cannot talk to the private link anymore even if I put an explicit rule from the AppGw to the private endpoint.

How can I secure the access to my private endpoint?

Answer 1

I tried to understand your setup and collected following points:

• Connection from AppGw to App Service go through linked service
  • Guessing that App Service has not been integrated with VNet(1)

It seems that it's not possible to control the AppGw outbound traffic with the Azure Firewall.

If you are not using VNet integration with appservice then all outgoing traffic will be using (shared) public IPs and the app service does not have any outgoing access to Hub or Spoke VNets. This requires more clarifications about your setup.

If you use VNet integration then you will get features like When regional virtual network integration is enabled, your app makes outbound calls through your virtual network.

Then you should be able to do following:

• Separate linked service subnet and App Service VNet Integration subnet
• Send all outgoing traffic from App Service VNet Integration subnet to Firewall

(1) https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration