Azure Restricting Web App Access to App Gateway Only

So this will be a quick post, let’s understand some of the background. In an load balanced environment what happens is that you have two web apps in two different geographical location so that if one goes down or if you have to take down due to deployment then other can continue to serve the traffic.

additionally you would want to make sure that those individual webapps are not accessible over public internet and if anyone tries to reach the web app they should get 40x, the simplest way is to apply the firewall rules in web app. which is Settings — Networking — Access Restrictions.

Normally what you would do is add the IP of app gateway so that no one should be able to reach those urls directly but app gateway can connect to web app, additionally you can add your VPN IP so that if you are on your corporate VPN then you should be able to access the Web App directly for testing or troubleshooting purpose.

Recently i have been in a situation where i didn’t incorporated this changes within the template and i thought i would do it later on from portal just as one of situation, the issue is Azure Portal has been having issue, no matter what i do App Gateway report 400 error when the app gateway IP has been whitelisted.

so as work around here’s what I did.

when there’s no rule set Web App will allow all, the moment you set a rule the default rule would get converted in to “Deny” rule and then on top of that we would add all the allow entries.

In my case and as work around I had to add another “Deny” for all and then on top of that I added all the allow rules including the one for Application gateway IP was added.

so if you ever come across issue where even after whitelisting you get 400 errors then this work around might help you.

Leave a Reply

Your email address will not be published. Required fields are marked *