Azure Application Gateway Vnet Configuration and Setup

To set up Azure Application Gateway VNet, you first need to create a virtual network (VNet) in Azure. This VNet serves as the foundation for your application gateway.

The VNet should be configured to support the specific needs of your application, such as the number of subnets required and the choice of IP address range.

For example, a common configuration is to create a VNet with a single subnet for the application gateway and a separate subnet for the back-end servers.

When creating the VNet, you'll also need to specify the IP address range, which should be unique to your Azure subscription.

To configure an Application Gateway in a virtual network, start by adding an entry in the privateLinkConfigurations section, which requires a different subnet than the gateway itself.

This configuration is crucial because once the Application Gateway is deployed to a subnet, it only allows other Application Gateways to share this subnet, but not other resources.

Add the privateLinkConfiguration to the frontendIPConfiguration, and note that you can share it with the public IP or separate it for various forwarding rules.

In your Application Gateway configuration, use HTTP on port 8080 for simplification, but in production, replace it with a proper HTTPS, FQDNs, and certificates.

When creating a private endpoint in the Spoke network, make sure to match the name of the groupId with the name of the frontendIPConfiguration of the Application Gateway.

In Stage 2 - Config, we need to add a private link to our Application Gateway. This requires an entry in the privateLinkConfigurations section, which must be placed in the same virtual network but a different subnet as the gateway itself.

To configure private link, you'll need to create a privateLinkConfiguration, which can be referenced on the frontendIPConfiguration. I've found that it's also possible to share this configuration with the public IP, allowing for various forwarding rules depending on the ingress source.

For my sample, I used HTTP on port 8080, but in production, you'll want to replace this with a proper HTTPS, FQDNs, and certificates.

Now that we have private link configuration in the Hub network, we can add a private endpoint in the Spoke network. It's essential to note that the name of the groupId added to the Private Endpoint must match the name of the frontendIPConfiguration of the Application Gateway.

To connect the frontend and backend pool, navigate to the Configuration tab and select Add a rule in the Routing rules. Then, enter the following details in the Add a routing rule window: HTTP setting Select Add to save the routing rule and return to the Configuration tab. Select Next: Tags to continue

Creating a virtual network, public IP address, and application gateway is a crucial step in the configuration process. This step involves selecting the "Create" option on the "Review + create" tab.

It may take several minutes for Azure to create the application gateway, so be patient and wait until the deployment finishes successfully.

To confirm that the deployment is successful, check the deployment status on the "Review + create" tab. You should see the following deployment statuses:

A private DNS zone is required for the Spoke network to resolve traffic correctly to the Private Endpoint. This is a crucial step in setting up the Application Gateway.

You'll need to create a private DNS zone, as the Application Gateway does not have its own private endpoint DNS zones, unlike other Azure private link capable resources. I've used my own DNS zone internal-api.net for this purpose.

The private DNS zone is deployed using a Bicep file, specifically appgw-priv-dns.bicep. This file is a module of another Bicep file, apim.bicep, which is deployed in the first block of the deployment.

Private DNS zones are necessary for the Spoke network to resolve traffic correctly towards the Private Endpoint.

Application Gateway doesn't have its own private endpoint DNS zones, so you need to use your own DNS zone, like internal-api.net.

To deploy API Management, Application Gateway, and DNS zone, you'll need to split the deployment into multiple steps.

You can deploy an API to test calls to Function Apps hosted in Container Apps environment along with the API Management instance.

To make thorough tests, you might need to hop on a jump VM in the Spoke network.

The private DNS zone is deployed using the appgw-priv-dns.bicep file.

The deploy-stage-2.sh script deploys API Management and an API, and also deploys the private DNS zone using the appgw-priv.bicep module.

Azure Application Gateway is a powerful tool for managing traffic to your Azure resources.

It must be installed into a Subnet inside one of your Azure Virtual Networks, which is dedicated to AppGW and can only contain AppGW resources.

This Subnet can be used to communicate with any backend resources that your Virtual Network has access to, including those connected via Peerings, VPN Gateways, or ExpressRoute connections.

To determine the right size for your Subnet, you'll want to consider the maximum number of IP addresses that could be used.

A single AppGW v2 can scale up to 125 instances, each taking up an IP address, for a total of 125 IP addresses.

Azure automatically reserves 5 IP addresses in every Subnet, and if you assign a Private IP to your AppGW, that's 1 more IP address needed, totaling 131 IP addresses.

Microsoft recommends using a /24 subnet (256 addresses) to be safe, but a /25 subnet (128 addresses) might not be enough.

The Backends Tab is where the magic happens in Azure Application Gateway. This is where you create and manage backend pools that route requests to your backend servers.

To get started, you'll need to add a backend pool. You can do this by clicking "Add a backend pool" on the Backends tab. In the Add a backend pool window, you can enter the following values:

Once you've entered the values, click "Add" to save the backend pool configuration and return to the Backends tab. This is where you can manage your backend pools and configure your Application Gateway.

The Gateway is where the magic happens, and it's essential to understand how it works. AppGW must be installed into a Subnet inside one of your Azure Virtual Networks.

To set up the Gateway, you'll need to create a Subnet dedicated to AppGW, which can only contain AppGW resources. This Subnet must be the same version for all AppGWs, so you can't mix v1 and v2 in the same Subnet.

Since AppGW lives inside your Azure Subnet, it can communicate with any backend resources your Virtual Network has access to. This means you can leverage Peerings, VPN Gateways, or ExpressRoute connections to privately communicate with backend resources.

Calculating the Subnet size is crucial, as it needs to accommodate all the AppGW instances. A single AppGW v2 can scale up to 125 instances, each taking up an IP address, for a total of 131 IP addresses.

When setting up an Azure Application Gateway, you'll need to choose the right Listener type for your needs. A Basic Listener is a straightforward option that accepts all Hostnames.

There are two types of Listeners: Basic and Multi-Site. A Multi-Site Listener is more flexible and comes in two flavors. You can't set a Hostname with a Basic Listener.

A Multi-Site "Single" Listener allows you to specify only one Hostname, with no wildcards permitted. This option is simple but limited in its flexibility.

A Multi-Site "Multiple" Listener is more powerful, allowing you to specify anywhere from 1 to 5 different Hostnames, with wildcards also allowed. This option gives you more control over traffic routing.

SSL Policy is used to define which TLS protocol versions are supported, which cipher suites are supported, and the order in which ciphers are used during a TLS handshake.

AppGW provides a handful of predefined policies for you to pick from, or you can create your own custom one.

You can configure SSL Policy at two different levels, either globally at the AppGW level, or per-site at the Listener level.

If an SSL Policy is applied at both levels, then the Listener’s SSL Policy will take precedence.