How to integrate a application gateway with static webapp as frontend and appservice as backend

Hi @Ashvini Vijaya Kumar (G10X, IND),

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

• Create a new Application Gateway. Choose the appropriate tier (Standard V2 or WAF V2 for web application firewall capabilities). For your reference: https://zcusa.951200.xyz/en-us/azure/virtual-network/ip-services/configure-public-ip-application-gateway
• Select Public for the Frontend IP address type, either create a new public IP address or use an existing one. For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/configuration-frontend-ip#:~:text=For%20a%20public%20IP%20address%2C%20you%20can%20create%20a%20new%20public%20IP%20address%20or%20use%20an%20existing%20public%20IP%20in%20the%20same%20location%20as%20the%20application%20gateway
• Create a backend pool and add the private endpoints of your backend web app to this pool.
• Create private endpoints for your backend web app in the same virtual network as your Application Gateway. This ensures communication between the Application Gateway and your web app stays within your private network.
• Configure your DNS settings (In your Vnet or using a private DNS zone) to resolve the private endpoints to the internal IP addresses of your backend web app.  For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/how-application-gateway-works
• Create a listener on your Application Gateway. This listener will listen for incoming traffic on a specific port. For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/configuration-listeners
• Create a routing rule that directs traffic from the listener to your backend pool. For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/configuration-request-routing-rules#associated-listener
• The subnet where your Application Gateway resides will have an NSG associated with it. You'll need to add rules to allow incoming traffic on port 80 (or 443 if you're using HTTPS) from the internet. For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/configuration-infrastructure
• The subnet where your backend web app with private endpoints resides should have an NSG that allows traffic from the Application Gateway subnet.
• If you're using HTTPS, you'll need to configure SSL certificates on your Application Gateway. For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/end-to-end-ssl-portal#before-you-begin:~:text=To%20configure%20end%2Dto%2Dend%20TLS%20with%20an%20application%20gateway%2C%20you%20need%20a%20certificate%20for%20the%20gateway.%20Certificates%20are%20also%20required%20for%20the%20backend%20servers.
• Configure your public DNS records to point to the public IP address of your Application Gateway. For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/configuration-frontend-ip#:~:text=You%20must%20manually%20configure%20using%20your%20domain%20name%20by%20mapping%20its%20DNS%20record%20to%20the%20gateway%27s%20IP%20address.
• Set up health probes on your Application Gateway to monitor the health of your backend web app instances. For your reference: https://zcusa.951200.xyz/en-us/azure/application-gateway/application-gateway-probe-overview
• Consider enabling autoscaling for your Application Gateway to handle fluctuations in traffic.

Note: If you encounter a "Bad request" error when trying to access the URL mentioned above, kindly copy the URL manually and paste it into a new tab.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.

Hi @Ashvini Vijaya Kumar (G10X, IND),

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thanks,

Sai.

Hi @Sai Prasanna Sinde , Iam stuck in setting up NSG rules and how to make backend App service available through application gateway, can you please help me on it? Thanks, of sharing the steps.

Hi @Ashvini Vijaya Kumar (G10X, IND),

Greetings!

• Please allow traffic from the Application Gateway subnet. It allows traffic originating from your Application Gateway's subnet to reach your App Service.
• Reference: https://zcusa.951200.xyz/en-us/azure/app-service/overview-app-gateway-integration#:~:text=If%20you%20want%20to,an%20App%20Service%20Environment. Source: IP addresses of your Application Gateway subnet. Destination: Any (or specific port your app uses, like 80 or 443). Protocol: TCP
•  Consider denying all other inbound traffic to further secure your App Service, add a rule with a lower priority that denies all other inbound traffic. This ensures only traffic from the Application Gateway is allowed. 
• Allow internet traffic to the Application Gateway -This allows external users to access the Application Gateway. Source: Internet. Destination: Ports 80 or 443. Protocol: TCP. 
• Allow traffic from the Application Gateway to the App Service subnet-This rule is often redundant if you have the corresponding rule on the App Service subnet, but it can be useful for clarity. Source: Application Gateway subnet. Destination: App Service subnet. Protocol: TCP. 
• If you're using App Service access restrictions, make sure to allow the Application Gateway's subnet.
• Check the NSG Flow logs it can help you identify if traffic is being blocked by NSG rules.
• Reference: https://zcusa.951200.xyz/en-us/azure/virtual-network/virtual-network-nsg-manage-log#:~:text=You%20can%20enable%20NSG%20flow%20logging%20for%20an%20NSG%2C%20which%20logs%20all%20of%20the%20rule%20counter%20information%20and%20the%20source%20IP%20address%20that%20initiated%20the%20communication.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.

Hi @Ashvini Vijaya Kumar (G10X, IND),

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thanks,

Sai.