Hiding .Azurewebsites.net for backend pools in Application Gateway

Question

We have an azure Application Gateway set up for Path Based routing and SSL offloading and we have multiple backend pools which are pointing to azure web apps. we would like to stop people accessing the web apps directly using the raw .azurewebsite.net URL. this is a very common requirement and easily achieved by blocking access if ".azurewebsites.net" is used in the url or redirecting to the actual domain. but when App Gateway is involved, this is not doable since the health probes will be using the .azurewebsites.net URL and the domain name is only used from app gateway level.

anyone has a solution for the above scenario ?

Answer 1

You could redirect the default Azure domain to your actual domain exclude the health probes URL using URL rewrite. The probes path doesn't need to contains the host name. For example, /healthprobes.

<rewrite>
  <rules>
    <rule name="RedirectToActualHost" stopProcessing="true">
      <match url="(.)*" />
      <conditions>
        <add input="{HTTP_HOST}" pattern="^your_default_auzre_domain$" />
        <add input="{REQUEST_URI}" pattern="^your_probes_path$" negate="true" />
      </conditions>
      <action type="Redirect" url="http://your_actual_host/{R:0}" />
    </rule>
  </rules>
</rewrite>

Answer 2

I achieved this by using the IP Restriction (Under Networking) of the App Service and added the IP of the Application Gateway so any other IP address is blocked i.e. will receive a 403. application Gateway health probe will still pass since it's IP has been white-listed