A recent addition to Service Endpoints support is Microsoft.Web. Exactly as Service Endpoints for Azure Storage and Azure SQL allowed private access from a subnet to those PaaS services, Microsoft.Web Service Endpoints finally allows simple secure access to a backend App Service.
There are two parts to this setup:
- Service Endpoints for Microsoft.Web must be enabled on the Application Gateway’s subnet
- This subnet must be whitelisted in the Access Restrictions configuration for the backend Web App
Setup
I use my previously created App Gateway and Web App from here: https://patobwp.azurewebsites.net/2019/02/20/app-service-w-app-gateway-v2-high-security-in-azure-paas/.
From the Overview blade of the App Gateway, note the subnet, and click on the Virtual Network link to go to the VNET resource. Click the Subnets blade on the left and then click on the App Gateway subnet to open its configuration blade.
Here we will enable Microsoft.Web Service Endpoints:
Now go to the backend Web App in the Azure portal, and open the Networking > Access Restrictions blade. Create an allow rule of Type: Virtual Network and target the App Gateway’s subnet.
Your access restriction rules should now look something like this, of course you can add additional rules for other clients as needed:
Now the Web App is secured from public clients, no one can bypass the App Gateway. This is a powerful option for both App Gateway v1 and v2 which should make integration easier and more consistent.