Azure Front Door with Azure Application gateway

Question

I am trying to setup an architecture where I have a static website stored on Azure storage and an App Container that serves the API. I would like to serve both from the same domain, but with a different path. The static site will be on the root path and the API will be on the /api path. I am writing an extension for an existing website and this URL setup is a requirement from it.

To achieve this result, I have an application gateway that can direct the requests based on the path (this already works), but so far it only has a public IP address. I also have a Front Door with a custom origin to the application gateway. The Front Door received a domain name from azure and it is fine for now. My issues is that when I access the Front Door on https, it tries to access the App GW with https, but obviously it doesn't support it, since it only has an IP address and I didn't create an SSL certificate for it. Now, I am stuck, because I cannot configure the Front Door for SSL offloading, but I also cannot configure APP GW to accept https connections.

Does anybody knows the right setup for this case?

Answer 1

• You want to configure the application gateway to accept HTTPS connections when you are accessing the front door on HTTPS and it doesn’t support the SSL offloading and you are not able to redirect the same requests over HTTPS to the application gateway. Thus, in this scenario, to achieve this, you will have to add a NSG (Network Security Group) and link the Application Gateway subnet configured to it.

This will ensure that though the HTTPS connection requests are incoming through the Front door, they will be routed correctly to the application gateway’s public IP address via the NSG rules in place as shown below: -

Ensure that all the other rules are not present in your NSG that is associated with the application gateway and only the highlighted ones are created and mentioned so that when the requests are received on the Azure front door over HTTPS, the request is routed through the NSG via above created inbound rules and forwarded as SSL HTTPS request over the said associated private IP address created in the virtual network.

Please find the rules as below: -

Source: Service Tag
Source service tag: AzureFrontDoor.Backend
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Allow
Priority: 200

Source: Service Tag
Source service tag: GatewayManager
Source Port ranges: *
Destination: Any
Destination port ranges: 65200-65535
Protocol: Any
Action: Allow
Priority: 300

Source: Service Tag
Source service tag: VirtualNetwork
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Allow
Priority: 400

Source: Service Tag
Source service tag: AzureLoadBalancer
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Allow
Priority: 500

Source: Any
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Deny
Priority: 600

Once done, the application gateway accepts HTTPS requests from the Azure front door over Port 443 after configuring the custom domain on it.

For more information, kindly refer to the below links: -

Azure Front Door in the front of Application Gateway

https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#when-should-we-deploy-an-application-gateway-behind-front-door-