2

I have an AppService deployed in a Spoke Vnet (with a Private Endpoint). In front of this is an AppGw (in the Hub Vnet).

enter image description here

It seems that it's not possible to control the AppGw outbound traffic with the Azure Firewall. I would therefore like to control it with an NSG in the Spoke Vnet directly where I have my private endpoint. (I want to only allow the green line)

However, I cannot figure out what rules I should put in place. As soon as I disable VNET to VNET traffic in the NSG, my AppGw cannot talk to the private link anymore even if I put an explicit rule from the AppGw to the private endpoint.

How can I secure the access to my private endpoint?

2d1b
  • 595
  • 1
  • 6
  • 24

1 Answers1

0

I tried to understand your setup and collected following points:

  • Connection from AppGw to App Service go through linked service
    • Guessing that App Service has not been integrated with VNet(1)

It seems that it's not possible to control the AppGw outbound traffic with the Azure Firewall.

If you are not using VNet integration with appservice then all outgoing traffic will be using (shared) public IPs and the app service does not have any outgoing access to Hub or Spoke VNets. This requires more clarifications about your setup.

If you use VNet integration then you will get features like When regional virtual network integration is enabled, your app makes outbound calls through your virtual network.

Then you should be able to do following:

  • Separate linked service subnet and App Service VNet Integration subnet
  • Send all outgoing traffic from App Service VNet Integration subnet to Firewall

(1) https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration

jikuja
  • 459
  • 2
  • 16
  • Thanks for your answer but my problem is with INBOUND traffic between the AppGw and my AppService (trough a Private Endpoint)... My original goal was to push all outbound traffic to the FW but it doesn't seem to be possible... therefore I want to control the inbound traffic to the AppService with a NSG... but again... no luck – 2d1b Aug 25 '22 at 17:53
  • Are you using VNet integration with appservice or not? – jikuja Aug 27 '22 at 12:54
  • Yes but VNet Integration is for outbound traffic from the AppService. I am using a private endpoint for Inbound traffic to the App Service. Inbound traffic to the App service is what I want to secure. – 2d1b Aug 29 '22 at 00:19
  • UDR and NSG support for private endpoints was GAd Aug 17th. Can you share exact NSG rules you have used and related subnet settings? If you want to use Azure Firewall with connections from AppGW to Private endpoint you need to add routes into both subnets and send traffic to NVA or did you already try it? – jikuja Aug 29 '22 at 08:18