This is a continuation of the previous article:

As with any firewall, the application gateway must declare the routing rules and the http listener that should be used with the matches. The redirects and rewrite rule sets can also be specified here along with a priority for the ordering of rules. The gateway must have a private address as well as a public address when it is to be reached from both networks.

The applications must specify addresses to accept traffic from as the private address of the application gateway. They must also specify CORS by setting the Access-Control-Allow-Origin response header.  This completes the restriction of traffic to the backend from public internet and permitted only via the application gateway.

Some practice applies as with many Azure resources. For example, the portal advisor might suggest that some of the features are unnecessarily turned on. It is possible to avoid custom probes altogether but the reason the documentation recommends it is that those probes help you articulate what must be monitored.

Similarly, there are features on the application gateway that can provide “insights” into the working of the application gateway. These are displayed from the metrics that the resource collects. There are resources external to the gateway such as Network watcher that can help with troubleshooting network connectivity issues.

SSL profiles help to configure client authentication as well as listener specific SSL policy. A certificate is added to the profile, but this can be skipped when all the app services in the backend pool are internal.

The same applies to rewrites and redirections that can be avoided if the application gateway can pass through. The rewrite sets and the routing rules must be associated.

Some examples of setting up the application gateway will show url path maps to include wild card characters. If the paths are different between the rules so that the request matches one of them correctly, this is fine. Some usages write the rules such that they match more than one with the final match as the most qualified path. This could be avoided because discrete enumerations of the rules are much easier to test, diagnose and maintain.

Sample URL maps could be as follows:

  url_path_maps = [

    {

      name                               = "gw-url-path"

      default_backend_address_pool_name  = "app-gw-centralus-bapool01"

      default_backend_http_settings_name = "app-gw-centralus-be-http-set1"

      path_rules = [

        {

          name                       = "api"

          paths                      = ["/api/*"]

          backend_address_pool_name  = "app-gw-centralus-bapool01"

          backend_http_settings_name = "app-gw-centralus-be-http-set1"

        },

        {

          name                       = "videos"

          paths                      = ["/videos/*"]

          backend_address_pool_name  = "app-gw-centralus-bapool02"

          backend_http_settings_name = "app-gw-centralus-be-http-set2"

        }

      ]

    }

  ]