Share via

Why can my application gateway not connect to web app if the application gateway subnet is allowed in web app access restriction?

Majtenyi, Otto 20 Reputation points
2023-04-07T14:32:02.09+00:00

Hello, I have an application gateway that has an app service as a backend pool. Everything works fine when the app service allows anything to access it (I can access web app from app gateway). However, when I allow the application gateway subnet to the site access and rules and switch the unmatched rule action to deny, the web app throws a 403 error. I think this means that the application gateway is not accessing the web app through the subnet, but I do not know how to fix that. I made sure the subnet allows Microsoft.Web endpoints. What could be causing this issue and how do I resolve it?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
742 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,716 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,172 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,674 questions
Accepted answer
  1. ChaitanyaNaykodi-MSFT 27,366 Reputation points Microsoft Employee
    2023-04-10T23:10:32.19+00:00

    @Majtenyi, Otto Welcome to the Microsoft Q&A forum. If I have understood the question correctly, you have an application gateway that has an app service as a backend pool. You want to restrict the access to the app service so that only the application gateway can access it. You tried granting access only to the application gateway subnet to the app service it did not work and you got an 403 error. If my understanding above is correct. Based on the documentation here how application gateway routes a request to the backend pool depends on how application gateway can reach the backend pool:

      • If the backend pool Is a public endpoint, the application gateway uses its frontend public IP to reach the backend server. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.
      • If the backend pool Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses.
    • If the backend pool Contains an external endpoint or an externally resolvable FQDN, the application gateway routes the request to the backend server by using its frontend public IP address. If the subnet contains service endpoints, the application gateway will route the request to the service via its private IP address. DNS resolution is based on a private DNS zone or custom DNS server, if configured, or it uses the default Azure-provided DNS. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.

    Now depending on how you have added the app service to the backend pool. If it is via its public IP, you will have to give the Application Gateway's frontend public IP access to the app service. You can follow this document to add the restriction to your app service. For production workloads there are other ways using which you can restrict access to the app service.

    Based on your statement above

    I know my client pc should not need access, that is why I am confused. How would I confirm I am only making requests from application gateway? I can say that I am entering the dns name from the public ip of the gateway into my browser and nothing else.

    Your understanding here is correct, you client pc should not be able to access the web app directly. The possible reason for this observation might be that if you have enabled same custom domain for your web app and application gateway then due DNS cache the dns name might have resolved to Web apps public IP instead of Application Gateway's IP. You can try clearing your DNS cache and see if this is true. Based on your statement above

    The web app has authentication turned on using Microsoft AAD, so that could be my browser making direct requests to the web app, but that would mean I can't use an App Gateway if I have authentication on, which can't be right.

    You can use Application Gateway with an App Service that uses Azure Active Directory Authentication more information can be found here. Hope this helps! ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 118.2K Reputation points
    2023-04-07T16:51:39.12+00:00

    Hi,

    In your react application running in the browser, please confirm that it is only making requests to your application gateway. From the description in your comment of "...when I allow my ip address on the web app restrictions, the app gateway works..." it sounds like you are making requests from the browser directly to your web app running on app services.

    By "my ip address" I assume you mean the public ip address of your client PC. Your client PC should not need access to your app service. It should be communicating with your Application Gateway.

    Thanks.

    -TP

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.