External Application Access Pattern Using Azure App Gateway

[AErmie]

We need to create an example of an application pattern that uses Azure Application Gateway to allow external access into an internal resource.

Background

Ministry Clients need to be able to access various PaaS resources deployed in Azure, externally. There are some Azure Policies in place that prevent PaaS services from having external access or a Public IP address. Therefore, external access needs to be controlled through supported mechanisms, such as the Azure Application Gateway.

Testing is needed to confirm what additional configurations, changes, etc. are required to successfully use an Application Gateway in our environment to access internal resources (ie. a resource that is restricted to private-only networking, perhaps using Private Endpoint).

Acceptance Criteria

1. Successfully able to access an internal/restricted resource externally through the Application Gateway

Test Steps

1. Deploy an Application Gateway
   • Make note of the networking requirements, and any challenges within our environment
2. Deploy an internal resource (ie. VM, Functions)
   • This should be in a separate Subnet
3. Configure and test access externally through the Application Gateway to the internal resource

[!NOTE] This will then become a guide for Ministry Clients when onboarding, as a reference/example.

Additional Notes

• Document any issues, pain-points, specific configurations required, etc. that is outside of a default/standard deployment (ie. from the Microsoft documentation)
• Multiple backend examples, such as IaaS (ie. VMs, VMSS), and Serverless (ie. Functions, Azure Container Instances) should be tested and documented