Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,476 questions
Azure App Gateway, App Services and Database for MySQL Server - Disable public access on App Services
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 16%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU%3C/text%3E%3C/svg%3E)
Uhmazing34
40
Reputation points
Hello,
In Azure I currently have an Application Gateway, two App Services and two Azure Database for MySQL Servers. The two MySQL Database Servers have public access disabled, so it can only be reached through the App Service and/or the VNet. Now, I would like the two App Services not to be able to be accessed by public as well, so with public access disabled. I have tried different options to do this, but I keep getting a “502 Bad Gateway” error when accessing the App Services both internal as external.
Below some more information:
VNET (192.168.100.0/22) Subnet App_Gateway_V2 (192.168.101.80/28) Subnet AppSvcSubnet (192.168.102.0/24) Subnet PrivateLinkSubnet (192.168.103.0/24)
None of the subnets are linked to a NSG.
Application Gateway has both Frontend Public as Private IP. Private IP = 192.168.101.84 Public IP = 108.xxx.xxx.xx
The App Services have the VNet Integration enabled for outbound traffic (AppSvcSubnet).
The Azure Database MySQL Servers have public access disabled and have a Private Endpoint configured. The Private Endpoint has subnet PrivateLinkSubnet. When opening the Private Endpoint, it also has a Private DNS zone (privatelink.mysql.database.azure.com) with IP-address 192.168.103.5
The above is the current situation as it is now. Like I mentioned, I would like to disable public access on the App Services as well now. What I tried is creating a Private Endpoint as Inbound traffic for the App Service (PrivateLinkSubnet with Private DNS zone enabled (192.168.103.20). For the Access Restrictions I selected the option: Public network access - Enabled from select virtual networks and IP addresses. Then, in the allow rules I added the following rules:
- Allow AppGw Traffic (192.168.101.84/32)
- Allow AppGw Traffic (108.xxx.xxx.xx/32)
- Allow VNET Traffic (192.168.100.0/22)
However, with the above configuration I can still access the Web App both internal as external. When removing the rule Allow AppGw Traffic (108.xxx.xxx.xx/32), I cannot reach the Web App anymore both internal and external. I receive the “502 Bad Gateway” error.
Does someone know what I’m doing wrong or how I can configure it correctly?
Thank you in advance.
Sign in to answer