Easy way to use Azure Application Gateway for an Intranet Application

A few months ago, I wrote a post about using Azure Application Gateway for an Intranet Application. This is created in continuation to that post. We are going to achieve the same but we will use a different way and an easier way.

What is this Easier way?

When I wrote the last blog, the Application gateway didn’t allow us to create private links and private endpoints for private access to the Application Gateway endpoints. Now, this feature is available in preview right now.

Azure Private Endpoint is the fundamental building block for Azure Private Link. Private endpoints enable Azure resources deployed in a virtual network to communicate privately with private link resources.

Private endpoints allow resources access to the private link service deployed in a virtual network. Access to the private endpoint through virtual network peering and on-premises network connections extends the connectivity.

I wrote a post earlier covering Private endpoints and their comparison with service endpoints.

How is this Easier?

In Nutshell, In my opinion, it’s easier because you don't have to maintain a separate user-defined route (UDR) which we did in the last post.

Below are the step required:

1. Deploy the application gateway (Standard v2 in my case)
2. Configure the Backend pools, Backend Settings (earlier called HTTP settings), Routing rules, Health probes and Rewrite rules (if any) for the application in the application gateway.
3. Make sure the application gateway listener uses the Private frontend IP (leave public IP unused) and a valid hostname (A type record in DNS in my case)
4. Create a Private Link.
5. Create a Private endpoint.
6. Update the private DNS record to point to the Private IP of your Private endpoint.

Let me elaborate points 4 and 5.

Configure Private Link (4)

The Private link configuration defines the infrastructure used by Application Gateway to enable connections from Private Endpoints. To create the Private link configuration, complete the following steps:

1. Go to the Azure portal
2. Search for and select Application Gateways.
3. Select the name of the application gateway you want to enable the private link.
4. Select Private link

5. Configure the following items:

• Name: The name of the private link configuration.
• Private link subnet: The subnet IP addresses should be consumed from.

• Frontend IP Configuration: The frontend IP address that the private link should forward traffic to on Application Gateway.
• Private IP address settings: specify at least one IP address

6. Select Add.

These steps will create a Private link in the Private subnet of the target Virtual network. The maximum number of IP addresses per private link configuration is eight. Only dynamic allocation is supported.

Configure Private Endpoint (5)

A private endpoint is a network interface that uses a private IP address from the virtual network containing clients wishing to connect to your gateway. Each of the clients will use the private IP address of the Private Endpoint to tunnel traffic to the Application Gateway. To create a private endpoint, complete the following steps:

1. Select the Private endpoint connections tab.

Click on Private endpoint.

2. On the Basics tab, configure a resource group, name, and region for the Private Endpoint. Select Next.

3. On the Resource tab, select Next. If the public or private IP configuration resource is missing when trying to select a Target sub-resource on the Resource tab of private endpoint creation, please ensure a listener is actively utilizing the respected frontend IP configuration. Frontend IP configurations without an associated listener will not be shown as a Target sub-resource.

4. On the Virtual Network tab, configure a virtual network and subnet where the private endpoint network interface should be provisioned to. Configure whether the private endpoint should have a dynamic or static IP address. Last, configure if you want a new private link zone to be created to automatically manage IP addressing. Select Next.

5. On the Tags tab, optionally configure resource tags. Select Next.

6. Select Create.

7. You can grab the private IP associated with the private endpoint from “DNS configuration”

Update the private DNS record for the hostname used in the application gateway’s Listener configuration to point to the Private IP of your Private endpoint.

The following limitations apply to Private Endpoints :

• Network security groups (NSG) are bypassed by traffic coming from private endpoints
• Private endpoints don’t support network policies such as Network Security Groups (NSGs) or Azure Firewall, so security rules won’t apply to them.
• User-defined routes (UDR) are bypassed by traffic coming from private endpoints. User-defined routes can be used to override traffic destined for the private endpoint.

You can compare how the request flows from the client to the backend with the diagram in the blog covering the other method. You can see the request is not flowing through Firewall anymore as it bypasses the UDR.

Which way to go?

This should be a discussion for the future since the usage of private links with the Application gateway is in Preview right now.

Once this feature becomes Production-ready, then here are things to consider:

• UDR maintenance: If you need to give access to resources in another subnet or another site to site VPN address space or another point to site VPN address space while using this method you don't need to worry as long as the private endpoint is in a subnet in HUB Virtual network. If you were using the other method, then you needed to add those address spaces to UDR associated.
• Firewall and NSG rules: No need to worry when using private endpoints because both Firewall and NSGs are bypassed while using private endpoints. If you were using the other method, then you needed to add any newly allowed/denied address spaces to the associated Firewall and NSG rules.
• Cost: Private endpoints incur extra charges.
• Security control: NSG and Firewall are bypassed for private endpoints, so if you want to make sure only resources in certain subnets or networks can access the URL for application making use of the application gateway, this is not the way to go and I would recommend going through my earlier post.

Please read my other articles as well and share your feedback. If you like the content shared please like, comment and subscribe for new articles.