Azure App Gateway, App Services and Database for MySQL Server - Disable public access on App Services
In Azure I currently have an Application Gateway, two App Services and two Azure Database for MySQL Servers. The two MySQL Database Servers have public access disabled, so it can only be reached through the App Service and/or the VNet. Now, I would like the two App Services not to be able to be accessed by public as well, so with public access disabled. I have tried different options to do this, but I keep getting a “502 Bad Gateway” error when accessing the App Services both internal as external.
Below some more information:
VNET (192.168.100.0/22) Subnet App_Gateway_V2 (192.168.101.80/28) Subnet AppSvcSubnet (192.168.102.0/24) Subnet PrivateLinkSubnet (192.168.103.0/24)
None of the subnets are linked to a NSG.
Application Gateway has both Frontend Public as Private IP. Private IP = 192.168.101.84 Public IP = 108.xxx.xxx.xx
The App Services have the VNet Integration enabled for outbound traffic (AppSvcSubnet).
The Azure Database MySQL Servers have public access disabled and have a Private Endpoint configured. The Private Endpoint has subnet PrivateLinkSubnet. When opening the Private Endpoint, it also has a Private DNS zone (privatelink.mysql.database.azure.com) with IP-address 192.168.103.5
The above is the current situation as it is now. Like I mentioned, I would like to disable public access on the App Services as well now. What I tried is creating a Private Endpoint as Inbound traffic for the App Service (PrivateLinkSubnet with Private DNS zone enabled (192.168.103.20). For the Access Restrictions I selected the option: Public network access - Enabled from select virtual networks and IP addresses. Then, in the allow rules I added the following rules:
Allow AppGw Traffic (192.168.101.84/32) Allow AppGw Traffic (108.xxx.xxx.xx/32) Allow VNET Traffic (192.168.100.0/22) However, with the above configuration I can still access the Web App both internal as external. When removing the rule Allow AppGw Traffic (108.xxx.xxx.xx/32), I cannot reach the Web App anymore both internal and external. I receive the “502 Bad Gateway” error.
Does someone know what I’m doing wrong or how I can configure it correctly?
Thank you in advance.
I would like the two App Services not to be able to be accessed by public as well, so with public access disabled. I have tried different options to do this, but I keep getting a “502 Bad Gateway” error when accessing the App Services both internal as external.
The 502 Bad Gateway error occurs when trying to access the app service via the Application Gateway's public IP because the Application Gateway is unable to communicate with the app service.
To resolve the issue, you may need to enable Selected Networks in the App Service networking settings and add the Application Gateway's public IP. This is a valid approach.
Alternatively, you can disable public access to the App Service and enable a private endpoint with a valid Private DNS zone configuration.
App Service Private Endpoint DNS Configuration
Virtual Network link configuration
When I try to access the App Service URL via the public network, it's throwing an error as expected.
Application Gateway configuration
App service is accessible via application gateway Public IP
To enable communication between the app service and the SQL Server database, you can enable a private endpoint for the MySQL database, allowing them to communicate with each other securely.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?