Secure Access Design for Azure App Service Behind Public Gateway with VPN and IP Restrictions

Question

Secure Access Design for Azure App Service Behind Public Gateway with VPN and IP Restrictions

Yasemin Aykalkan (Zer A.Ş.) 40

Hi everyone,

We have an App Service running in Azure, and we are trying to implement strict and secure access controls — both for external integrations and internal users via VPN. We’ve configured the App Service’s access restrictions to allow only specific IP addresses and subnets. At the same time, we want to avoid exposing the default domain (*.azurewebsites.net) publicly without proper protections. Some external systems need to access the App Service over the internet — we want to allow these based on whitelisted IPs. Meanwhile, internal users are expected to connect through VPN.

To support each scenarios, we placed the App Service behind an Azure Application Gateway (Public Tier, WAF v2) that already had a WAF policy in place and was actively in use.

However, this architecture — as expected — introduced a critical issue:

The App Service must allow the public IP of the Application Gateway to receive traffic. As a result, the App Service becomes publicly accessible, since the client’s original IP address is not preserved when requests pass through the gateway.

To secure the setup, we tried using a Private Endpoint for the App Service and restricted access to only trusted VNets. Our intent was to ensure that external clients would not be able to resolve the private DNS unless they were connected to a secure network or VPN.

However, this introduced another challenge:

For the Application Gateway to remain healthy and forward traffic properly, it must be able to resolve the App Service’s private DNS name and connect to its private IP. This forced us to either: Deploy the Private Endpoint and Private DNS Zone in the same VNet as the Application Gateway, or Host them in a separate VNet and configure VNet peering between the gateway VNet and the App Service VNet.(Adding a virtual network link to the private DNS zone seemed sufficient for DNS resolution, but I assume it wasn't enough to route traffic to the private IP — so peering became necessary.)

The core issue is this:

Initially, we thought combining Application Gateway with a Private Endpoint would provide the necessary isolation and control. However, once the Application Gateway is able to resolve the private DNS and reach the Private Endpoint, any request, regardless of the client’s real IP, VNet, or VPN status, is treated as trusted internal traffic. In effect, the gateway becomes a public entry point into the Private Endpoint — which defeats our IP/VPN restriction strategy and brings us back to the original problem.

Could you please review our current architecture and confirm whether any misconfigurations might be at play? We're also looking for secure design recommendations that:

Protect the App Service from unauthorized public access

Allow access via whitelisted external IPs

Support internal access via VPN

Use WAF for external traffic inspection

Thanks in advance for your insights and guidance!

Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-02T17:12:23.2833333+00:00

Hello Yasemin Aykalkan (Zer A.Ş.)
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know. Additionally, please check the private message and share the requested information.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Yasemin Aykalkan (Zer A.Ş.) 40 Reputation points

2025-05-05T06:05:54.33+00:00

Hi Praveen Bandaru, Thank you very much for your detailed suggestions. We reviewed the peering settings and successfully enabled the gateway's access to the App Service. As you recommended, we also ensured the gateway uses a private IP, effectively blocking public access. Yes, we are using Azure VPN Gateway, and as the final step, we are currently working on enabling private IP resolution through the VPN gateway. Once again, thank you for your support.
Yasemin Aykalkan (Zer A.Ş.) 40 Reputation points

2025-05-05T06:33:01.8866667+00:00

Praveen Bandaru, Regarding your suggestion about using Azure Network Watcher to implement IP restrictions: Would it be possible to apply such restrictions only for requests coming through private IPs or for specific listeners? Our gateway also has other listeners exposed through a different public IP, and we would like to avoid having global rules that affect all listeners.

Similarly, is it possible to apply such selective restrictions using Azure Application Gateway WAF policies — for example, assigning different WAF rules per listener based on the incoming IP type?
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-05T17:48:52.8966667+00:00
Hello Yasemin Aykalkan (Zer A.Ş.)

Azure Network Watcher is mainly a monitoring and diagnostic tool. It helps you determine whether traffic is allowed or denied based on NSG (Network Security Group) or Azure Virtual Network Manager rules. However, Network Watcher does not enforce IP restrictions itself; instead, it assists in analyzing and troubleshooting traffic filtering issues.

Check the Azure Network Watcher Public document:

Similarly, is it possible to apply such selective restrictions using Azure Application Gateway WAF policies — for example, assigning different WAF rules per listener based on the incoming IP type?

WAF policies can be assigned at three levels:

Global (Application Gateway level) – applies to all listeners.

Per Listener (Per-site policy) – applies only to a specific listener.

Per Path (Per-URI policy) – applies to specific URL paths

Using WAF custom rules, you can deny or allow traffic. Please check the public document below:

Web Application Firewall (WAF) policy

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-06T07:23:16.8333333+00:00

Hello Yasemin Aykalkan (Zer A.Ş.)
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Accepted answer

0 additional answers

Your answer

Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-02T17:12:23.2833333+00:00

Hello Yasemin Aykalkan (Zer A.Ş.)
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know. Additionally, please check the private message and share the requested information.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Yasemin Aykalkan (Zer A.Ş.) 40 Reputation points

2025-05-05T06:05:54.33+00:00

Hi Praveen Bandaru, Thank you very much for your detailed suggestions. We reviewed the peering settings and successfully enabled the gateway's access to the App Service. As you recommended, we also ensured the gateway uses a private IP, effectively blocking public access. Yes, we are using Azure VPN Gateway, and as the final step, we are currently working on enabling private IP resolution through the VPN gateway. Once again, thank you for your support.
Yasemin Aykalkan (Zer A.Ş.) 40 Reputation points

2025-05-05T06:33:01.8866667+00:00

Praveen Bandaru, Regarding your suggestion about using Azure Network Watcher to implement IP restrictions: Would it be possible to apply such restrictions only for requests coming through private IPs or for specific listeners? Our gateway also has other listeners exposed through a different public IP, and we would like to avoid having global rules that affect all listeners.

Similarly, is it possible to apply such selective restrictions using Azure Application Gateway WAF policies — for example, assigning different WAF rules per listener based on the incoming IP type?
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-05T17:48:52.8966667+00:00

Hello Yasemin Aykalkan (Zer A.Ş.)

Azure Network Watcher is mainly a monitoring and diagnostic tool. It helps you determine whether traffic is allowed or denied based on NSG (Network Security Group) or Azure Virtual Network Manager rules. However, Network Watcher does not enforce IP restrictions itself; instead, it assists in analyzing and troubleshooting traffic filtering issues.

Check the Azure Network Watcher Public document:

Similarly, is it possible to apply such selective restrictions using Azure Application Gateway WAF policies — for example, assigning different WAF rules per listener based on the incoming IP type?

WAF policies can be assigned at three levels:

Global (Application Gateway level) – applies to all listeners.

Per Listener (Per-site policy) – applies only to a specific listener.

Per Path (Per-URI policy) – applies to specific URL paths

Using WAF custom rules, you can deny or allow traffic. Please check the public document below:

Web Application Firewall (WAF) policy

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-06T07:23:16.8333333+00:00

Hello Yasemin Aykalkan (Zer A.Ş.)
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Answer 1

Hello Yasemin Aykalkan (Zer A.Ş.)

I understand that you were dealing with a complex setup involving your Azure App Service, Application Gateway, and Private Endpoints.

Based on your description, it appears you want to ensure your App Service is not publicly accessible, while allowing trusted external IPs and providing secure internal access via VPN. Here’s a summary to enhance your architecture and security:

Configure access restriction rules on your App Service to allow access only from the Application Gateway's public IP address using IP-based restrictions.
If you want to connect privately to the App Service, you can deploy a private endpoint and target the App Service. This will establish an internal connection only within the VNET range, allowing access only to the App Service. Check the document for private endpoints for Azure App Service apps.
Maintain robust WAF policies to inspect incoming traffic, protecting against common threats with custom rules as needed.
Ensure VNet peering is configured correctly if your Application Gateway and App Service are in separate VNets, and that the Application Gateway has a route to the App Service's private IP.
If you want to connect the App Service through the Application Gateway using a Hostname, you need to configure a DNS record pointing to the Application Gateway's frontend Private IP. Only then will the traffic pass through the Application Gateway privately.
If you want to configure a single private IP for Application Gateway in its preview state, do not use it in a production environment. You need to configure both public and private frontend IP's on Application Gateway. Reference Document Application Gateway frontend IP address configuration
Utilize Azure AD for Identity and Access Management to ensure only authenticated users can access your App Service.
After implementing these changes, use tools like Azure Network Watcher to monitor network traffic, ensuring only whitelisted IPs can reach your Application Gateway and that the App Service remains inaccessible directly from the internet.
Are you using Azure VPN Gateway for your internal users to connect via VPN

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Praveen Bandaru 3,145 Reputation points Microsoft External Staff Moderator

2025-05-06T07:23:50.27+00:00

Hello Yasemin Aykalkan (Zer A.Ş.)
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

Secure Access Design for Azure App Service Behind Public Gateway with VPN and IP Restrictions

0 additional answers

Your answer