Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
Add Application Gateway to the current setup & NSG
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 77%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Mihiran Priyankara
20
Reputation points
I have one Azure subscription with two resource groups (A and B). Each resource group contains two servers:
- App Server – hosts an application (currently map with DNS Public IP).
DB Server – backend database server (no direct Internet access).
The App Server requires outbound Internet access for updates, but the DB Server should remain private.
Current Network Security Group (NSG) Configuration
App Server NSG
Inbound Rules
| Priority | Name | Port(s) | Protocol | Source | Destination | Action | Description |
|---|---|---|---|---|---|---|---|
| 1000 | VPN-MT | 22, 443 | TCP | 192.168.1.0/24 | ASG-MT | Allow | Allow management/VPN access |
| 1000 | VPN-MT | 22, 443 | TCP | 192.168.1.0/24 | ASG-MT | Allow | Allow management/VPN access |
| 1100 | MT-INT | 443 | TCP | Internet | ASG-MT | Allow | App accessible via Internet |
| 1110 | MGW-MT | Any | Any | 10.10.10.4, | -10.10.10.5 | Allow | Internal MGW communication |
| 4096 | DenyAll-Inbound | Any | Any | Any | Any | Deny | Default deny rule |
Outbound Rules
| Priority | Name | Port(s) | Protocol | Source | Destination | Action | Description |
|---|---|---|---|---|---|---|---|
| 1100 | MTtoINT | 80, 443 | TCP | ASG-MT | Internet | Allow | Allow app Internet access |
| 1100 | MTtoINT | 80, 443 | TCP | ASG-MT | Internet | Allow | Allow app Internet access |
| 1200 | MT-DB | 1521 | TCP | ASG-MT | ASG-DB | Allow | Allow DB connection |
| 4096 | DenyAll-Outbound | Any | Any | Any | Any | Deny | Default deny rule |
DB Server NSG
Inbound Rules
| Priority | Name | Port(s) | Protocol | Source | Destination | Action | Description |
|---|---|---|---|---|---|---|---|
| 1000 | VPN-DB | 22,1521 | TCP | 192.168.1.0/24 | 10.10.1.6 | Allow | VPN/DB access |
| 1000 | VPN-DB | 22,1521 | TCP | 192.168.1.0/24 | 10.10.10.6 | Allow | VPN/DB access |
| 1100 | MT-DB | 1521 | TCP | ASG-MT | ASG-DB | Allow | App → DB communication |
| 1101 | DBUATtoDBCFG | 1521 | Any | ASG-DB-UAT | ASG-DB | Allow | DB inter-env communication |
| 1200 | MGT-DB | 22 | TCP | 10.10.10.4 | 10.10.10.6 | Allow | Management SSH access |
| 1300 | MGT-DB2 | 1521,5901,5902 | TCP | 10.10.10.4 | 10.10.10.6 | Allow | Admin tool access |
| 4096 | DenyAll-Inbound | Any | Any | Any | Any | Deny | Default deny rule |
Outbound Rules
| Priority | Name | Port(s) | Protocol | Source | Destination | Action | Description |
|---|---|---|---|---|---|---|---|
| 1100 | DB-ALLOW | 443 | TCP | ASG-DB | Internet | Allow | DB outbound for updates |
| 1100 | DB-ALLOW | 443 | TCP | ASG-DB | Internet | Allow | DB outbound for updates |
| 1300 | DB-INT-DENY | 80,443 | Any | ASG-DB | Internet | Deny | Block unwanted Internet traffic |
| 1301 | DBtoDB | 1521 | Any | ASG-DB | ASG-DB-UAT | Allow | Inter-DB communication |
| 4096 | DenyAll-Outbound | Any | Any | Any | Any | Deny | Default deny rule |
I want to add an Application Gateway to this architecture to securely expose the App Server to the Internet and make use of its advanced features. Could you please provide the required NSG rules and the configuration steps for setting up the Application Gateway?
Azure Application Gateway
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 9,885 Reputation points Microsoft External Staff Moderator2025-10-23T14:14:35.43+00:00 Hello Mihiran Priyankara
Below is a clean, Azure‑recommended way to insert Application Gateway (WAF_v2) in front of your App Servers, keep DB Servers private, and tighten NSGs—plus the exact rule sets and step‑by‑step configuration you can follow.
- Target Architecture
- Dedicated subnet for Application Gateway (e.g.,
ApplicationGatewaySubnet, /24 recommended for v2 SKUs). App Gateway must live in a dedicated subnet and be in the same virtual network as the private backends it will reach. - App Server subnets remain private (no public IPs on VMs). All Internet ingress flows terminate on the App Gateway; the gateway then reaches App VMs on private IPs.
- DB Server subnets stay private; only App Server(s) reach DB port(s).
- Outbound for App/DB: use NAT Gateway on those subnets (best practice) or Azure Firewall if you need inspection. Do not block outbound on the App Gateway subnet—that breaks WAF_v2/fast‑update validation.
- NSG rule sets you can apply
The lists below assume:
- App Gateway frontend listens on 80/443.
- Backends are your App Servers over HTTP/HTTPS (adjust the ports if your app differs).
- DB listens on TCP 1521 (as in your current rules).
A. NSG for
ApplicationGatewaySubnet(attach to the App Gateway subnet)allow Internet to hit the gateway’s listeners; allow Azure control-plane and probes; don’t block required outbound.
Inbound (allow):
- Internet → 80/443 (TCP) — users reach the gateway
- Source: Internet, Dest: ApplicationGatewaySubnet, Ports: 80,443, Protocol: TCP, Action: Allow, Priority: 100
- Azure Load Balancer probes — health/probe traffic
- Source: AzureLoadBalancer service tag, Dest: ApplicationGatewaySubnet, Port: 443 (and any health probe you configure), Protocol: TCP, Action: Allow, Priority: 110
- GatewayManager control‑plane — required for v2 SKUs
- Source: GatewayManager service tag, Dest: ApplicationGatewaySubnet, Ports: 65200-65535, Protocol: Any, Action: Allow, Priority: 120
Inbound (deny all):
- DenyAll-Inbound — Any/Any, Priority
4096(your default)
Outbound (allow):
- ApplicationGatewaySubnet → Internet — must remain allowed for WAF_v2/fast updates
- Source:
ApplicationGatewaySubnet, Dest:Internet, Ports:Any, Protocol:Any, Action:Allow, Priority:100
- Source:
- ApplicationGatewaySubnet → VirtualNetwork — to reach your backends (App Servers)
- Source:
ApplicationGatewaySubnet, Dest:VirtualNetwork, Ports:Any, Protocol:Any, Action:Allow, Priority:110
- Source:
Important: Avoid a “DenyAll‑Outbound” on the App Gateway subnet. Validation fails for v2/fast‑update if outbound is blocked—even if you think “Internet” is still allowed. Leave outbound open or control egress via Azure Firewall/NAT Gateway on other subnets.
B. NSG for App Server subnet(s) (attach to subnets with App VMs)
Goal: only traffic from the App Gateway subnet should reach the app; allow app → DB; allow controlled outbound (updates) via NAT/FW.
Inbound (allow):
- From App Gateway → App ports
- Source: CIDR of
ApplicationGatewaySubnet(the gateway’s subnet; probes/data path originate here for private backends), Dest: App subnet orASG-MT, Ports: your app ports (e.g.,80,443), Protocol:TCP, Action:Allow, Priority:100
- Source: CIDR of
Refer : https://free.blessedness.top/en-us/azure/application-gateway/application-gateway-probe-overview
- From on‑prem/VPN for admin (if needed)
- Source:
192.168.1.0/24, Dest: App subnet/ASG-MT, Ports:22,443, Protocol:TCP, Action:Allow, Priority:200
- Source:
Inbound (deny catch‑all):
- DenyAll-Inbound, Priority
4096
Outbound (allow):
- App → DB
- Source: App subnet/
ASG-MT, Dest: DB subnet/ASG-DB, Port:1521, Protocol:TCP, Action:Allow, Priority:100
- App → Internet (updates) — ideally via NAT Gateway on the App subnet
- Source: App subnet/
ASG-MT, Dest:Internet, Ports:80,443, Protocol:TCP, Action:Allow, Priority:200
- Source: App subnet/
- Source: App subnet/
Outbound (deny catch‑all):
- DenyAll-Outbound, Priority
4096(safe on App subnets; the NAT/FW rules still work)
C. NSG for DB Server subnet(s)
only the App tier and approved admin sources reach DB; controlled outbound (updates) as you require.
Inbound (allow):
- App → DB
- Source: App subnet/
ASG-MT, Dest: DB subnet/ASG-DB, Port:1521, Protocol:TCP, Action:Allow, Priority:100
- Admin/VPN (SSH) (if you truly need it)
- Source:
192.168.1.0/24(or your jump host), Dest: DB subnet/ASG-DB, Port:22, Protocol:TCP, Action:Allow, Priority:200
- Source:
- Source: App subnet/
Inbound (deny catch‑all):
- DenyAll-Inbound, Priority
4096
Outbound (allow/deny):
- If DB needs patching via Internet:
- Allow Dest:
Internet, Port:443, Protocol:TCP, Priority110- Deny Dest:
Internet, Port:80, Protocol:Any, Priority120(so HTTPS updates are allowed, HTTP blocked) - Inter‑DB (UAT ↔ CFG etc.) as required:
- Allow Dest:
ASG-DB-UAT, Port:1521, Protocol:Any, Priority130 - DenyAll-Outbound, Priority
4096
- Allow Dest:
- Deny Dest:
- Allow Dest:
Clean up duplicates in your current NSGs (you have repeated rules). Keep priorities so the HTTPS allow precedes any broader Internet deny.
I hope this was helpful!
If the above is unclear or you are unsure about something, please add a comment below.
Sign in to comment
Sign in to answer