Can I use an Azure Private Endpoint to access Azure WEB Application Gateway

%3CLINGO-SUB%20id%3D%22lingo-sub-2404165%22%20slang%3D%22en-US%22%3ECan%20I%20use%20an%20Azure%20Private%20Endpoint%20to%20access%20Azure%20WEB%20Application%20Gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2404165%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20have%20an%20Azure%20WEB%20application%20gateway%20which%20talks%20back%20to%20an%20on-premise%20App%20(using%20header%20based%20authentication)%20and%20I%20only%20need%20users%20on%20my%20own%20internal%20network%20(not%20internet%20users%20or%20customers)%20to%20access%20it.%20Can%20I%20connect%20Azure%20Private%20Endpoint%20and%20Azure%20Application%20Gateway%20to%20achieve%20this%20result%20(or%20is%20there%20an%20alternative).%20if%20I%20can%20do%20this%2C%20is%20their%20a%20URL%20doc%2Fvideo%20showing%20how%20this%20is%20set%20up%20please%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20very%20much%3C%2FP%3E%3CP%3ECharlie%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2408877%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20use%20an%20Azure%20Private%20Endpoint%20to%20access%20Azure%20WEB%20Application%20Gateway%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2408877%22%20slang%3D%22en-US%22%3EAzure%20Private%20Endpoint%20is%20a%20network%20interface%20that%20connects%20you%20privately%20and%20securely%20to%20a%20service%20powered%20by%20Azure%20Private%20Link.%20Private%20link%20resource%20such%20as%20Azure%20SQL%20DB%2C%20Cosmos%2C%20Backup%2C%20automation%2C%20storage%2C%20Azure%20Web%20app.%3CBR%20%2F%3E%3CBR%20%2F%3EPrivate%20Endpoint%20is%20only%20used%20for%20incoming%20flows%20to%20your%20Web%20App%20which%20is%20hosted%20in%20Azure%20as%20PAAS%20sevice%20as%20Web%20app.%20Outgoing%20flows%20will%20not%20use%20this%20Private%20Endpoint.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20your%20network%20connection%20between%20Azure%20and%20On-Prem%20securely%20connect%20through%20either%20VPN%20or%20Express%20route%20method%20in%20that%20case%2C%20the%20Outbound%20flow%20from%20On-prem%20to%20Azure%20ingress%20will%20flow%20through%20internal%20binding%20as%20VPN%20or%20ER%20over%20a%20private%20connection%20with%20the%20help%20of%20a%20connectivity%20provider.%3C%2FLINGO-BODY%3E
New Contributor

Hello

 

If I have an Azure WEB application gateway which talks back to an on-premise App (using header based authentication) and I only need users on my own internal network (not internet users or customers) to access it. Can I connect Azure Private Endpoint and Azure Application Gateway to achieve this result (or is there an alternative). if I can do this, is their a URL doc/video showing how this is set up please?

 

Thanks very much

Charlie

 

2 Replies
Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private link resource such as Azure SQL DB, Cosmos, Backup, automation, storage, Azure Web app.

Private Endpoint is only used for incoming flows to your Web App which is hosted in Azure as PAAS sevice as Web app. Outgoing flows will not use this Private Endpoint.

I hope your network connection between Azure and On-Prem securely connect through either VPN or Express route method in that case, the Outbound flow from On-prem to Azure ingress will flow through internal binding as VPN or ER over a private connection with the help of a connectivity provider.

@Seshadrr 

Hello Seshadrr

Thanks very much for taking the time to reply,

 

I am still a bit unclear, can you (or someone else on the forum) clarify the following for me a bit further please.

 

if we have an Azure WEB Application Proxy (connecting to a backend app on-premise as normal), but we only want 'company users' to use this (not internet based users). Can remove/disable the public IP address from the WEB Application Proxy (in some way e.g. using a Service EndPoint or Private EndPoint, or some other way) so only internal users can access it. 

 

What I really want to achieve is using a private IP address/subnet  (e.g. 10.x.x.x ) and therefore one DNS record internally to reach the front end of the WAP

 

can you kindly advise further if this is possible

 

Thanks

Charlie