question

39551769 avatar image
0 Votes"
39551769 asked 39551769 commented

Restrict access from app service to app gateway, Static VIP restriction or Service endpoint ?

Hello,

I have an application gateway with WAFV2 enabled.
I have an azure app service set as a backend pool.
I want to allow access to that app service only from the application gateway, so I can enforce WAF policies.

I wonder if there is any differences between :
- Setting only the static VIP of the application gateway to the IP restriction settings in my app service : https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#set-an-ip-address-based-rule
- Setting the application gateway subnet to the IP restriction settings so I can grant access to my app service through service endpoints : https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#set-a-service-endpoint-based-rule

In terms of :
- Security ?
- Networking ? (path used by requests sent to application gateway)
- Pricing ?

Thanks a lot for your answers.
Alexandre

azure-webappsazure-virtual-networkazure-application-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ryanchill avatar image
1 Vote"
ryanchill answered 39551769 commented

Hi @alexmass,

I'll do my best to address your questions.

Security?

Both will restrict what traffic makes its way to your app service. Your app service will only respond to traffic you designated, whether it's IP or Service Endpoint

Networking? (path used by requests sent to application gateway)

Using Service Endpoint will gain advantage as the traffic request traverses the Azure backbone, see https://docs.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints#integration-with-app-service-multi-tenant. When it comes to VIP, I'm not exactly sure if there's any efficiencies, but I would error to say no. More than likely, the traffic will out to the internet and back in from a routing standpoint. You could circumvent this by using a private endpoint on the App Service.

Pricing ?

Your costs will come from the SKUs of the App Gateway and App Service. From what you've stated, I don't think you will need a private endpoint; see https://docs.microsoft.com/en-us/azure/app-service/networking/private-endpoint, but there is a cost associated if you go that route.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ryanchill, thanks a lot for your answer.

I thought that whatever we use the IP address of the Application Gateway as IP restriction, or the Service Endpoint, the traffic will always make at least one hop to an edge Azure router, then come back to the Azure backbone network. Then as you say we will have to use a Private endpoint to prevent this Internet routing to happen.

1 Vote 1 ·