Azure Networking Basic – TechMilestoneHub

4 – Application Gateway In Detail
Table of Contents

🎯 What You’ll Learn

In this blog, we dive deeper into Azure Application Gateway and explore how it can be used as a smart and secure entry point for multiple web applications. By the end of this guide, you will understand how to design real-world traffic routing and protect your applications from common web attacks.

Here’s what we will be doing:

Understand what Azure Application Gateway is and why it works at Layer 7 (Application Layer)
Deploy two Ubuntu virtual machines running Nginx as independent web servers
- One serving video content
- One serving image content
Configure Network Security Groups (NSG) to allow:
- SSH access for administration
- HTTP access for users
Create an Application Gateway as the single public entry point
Implement URL-based routing so that:
- /videos → goes to the video server
- /images → goes to the image server
Keep backend servers private and protected, exposing only the gateway to the internet
Enable Web Application Firewall (WAF) to defend against:
- SQL Injection
- Cross-Site Scripting (XSS)
- Protocol violations and other malicious requests
Learn the difference between:
- Detection mode – monitor attacks
- Prevention mode – actively block threats

By the end of this blog, you will have a clear, hands-on understanding of how Application Gateway can:

✅ Route traffic intelligently
✅ Secure multiple apps with one public IP
✅ Protect web applications using enterprise-grade WAF

Let’s get started 🚀

STEP 1 : 🖥️ Creating Two Ubuntu Web Servers

To demonstrate URL-based routing with Application Gateway, we first need two separate web servers. Each server will handle a different type of content, and later the gateway will decide where to send traffic based on the request URL.

🎯 Goal of This Setup

Create 2 Ubuntu Virtual Machines in the same subnet
One VM will serve video pages
The other VM will serve image pages
Application Gateway will later route:
- /videos → Video VM
- /images → Image VM

💡 We do NOT attach NSG directly to each VM.
Instead, we attach a single NSG to the subnet for centralized control.

🔐 Network & NSG Configuration

While creating the VMs:

You can assign Public IPs to make SSH access easy for testing
Skip NSG at VM level (we manage it at subnet level)

Modify NSG Rules

We need two inbound rules:

1️⃣ Allow SSH to the VMs

Destination: Private IPs of the VMs
Service: SSH (port 22)
Purpose: Admin access to configure the servers

2️⃣ Allow HTTP Traffic

Since these VMs will act as web servers:

Source: Internet (Service Tag)
Destination Port: 80 (HTTP)
Destination: Private IPs of the VMs

This allows users to browse the pages hosted on the servers.

🧰 Install Nginx on Both VMs

Now we turn both Ubuntu machines into web servers.

SSH into each VM and run:

sudo apt update
sudo apt install nginx

After installation, Nginx starts serving files from:

/var/www/html

🎬 Configure First VM – Video Web Server

On VM 1, we create content for videos:

cd /var/www/html
sudo chmod 777 /var/www/html
mkdir videos
cd videos
echo "Videos for you" > Default.html

Now this server responds to:

👉 http://<VM1-Public-IP>/videos/Default.html

and shows:

Videos for you

🖼️ Configure Second VM – Image Web Server

On VM 2, repeat the same steps but for images:

cd /var/www/html
sudo chmod 777 /var/www/html
mkdir images
cd images
echo "Images for you" > Default.html

This server is available at:

👉 http://<VM2-Public-IP>/images/Default.html

and displays:

Images for you

✅ What We Have Achieved So Far

At this stage:

✔ Two independent Ubuntu web servers are running
✔ Both are in the same subnet
✔ NSG allows SSH and HTTP access
✔ Each server serves different content
✔ We can browse them directly using their IPs

But users currently need to remember two different IP addresses ❌

In the next step, we will:

Use Application Gateway to provide a single entry point and route traffic automatically based on URL 🚦

STEP 2:🚦 Implement URL Routing Using Application Gateway

Now that we have two web servers ready—one for videos and one for images—it’s time to place Application Gateway in front of them.
The goal is simple:

Users will access a single public IP, and the gateway will decide which VM should handle the request based on the URL.

🧱 Prerequisite – Empty Subnet for Application Gateway

Application Gateway must be deployed in its own dedicated subnet.
It cannot share a subnet with VMs or other resources.

So first ensure:

✔ A separate subnet exists (e.g., appgw-subnet01)
✔ No VMs or other services are inside this subnet

🌐 Create Frontend IP

While creating the Application Gateway:

Add a new Public IP address
This IP becomes the single entry point for all users

💡 After this setup, users will no longer connect directly to the web servers—only to this frontend IP.

🧩 Create Backend Pools

We need two backend pools, one for each server:

🎬 videoserver → points to Video VM
🖼️ imageserver → points to Image VM

Each pool contains the private IP of the corresponding Ubuntu VM.

🎧 Configure Listener

The Listener decides when routing rules should be applied.

We create a listener with:

Protocol: HTTP
Port: 80
Frontend IP: Application Gateway public IP

📌 Listener = “Wait for requests on this IP and port before applying any routing logic.”

🎯 Configure Backend Targets

Next we connect the listener to a backend pool:

Select a backend pool (e.g., videoserver)
Create Backend Settings
- Just provide a name like settings01

Backend settings define how the gateway communicates with the servers.

🔀 Add Path-Based Routing Rules

This is the heart of the demo 🔥.

We click:

👉 Add multiple targets to create a path-based rule

Then create two paths:

Rule 1 – Videos

Path: /videos/*
Target: videoserver
Backend settings: settings01

Rule 2 – Images

Path: /images/*
Target: imageserver
Backend settings: settings01

🧠 Now the gateway can read the URL and decide where to send the request.

🧪 Test the Setup

Access the Application Gateway public IP:

👉 http://<appgw-ip>/videos/Default.html
➡ Shows “Videos for you”

👉 http://<appgw-ip>/images/Default.html
➡ Shows “Images for you”

🎉 URL-based routing is working!

🔐 Final Architecture Result

✔ Only Application Gateway needs a public IP
✔ Web servers can stay private
✔ Users access one endpoint
✔ Traffic is routed intelligently by URL

URL	Destination
/videos	Video VM
/images	Image VM

💡 What We Achieved

Implemented Layer 7 routing
Reduced public exposure
Centralized traffic control
Prepared foundation for WAF security

In the next section, we will:

Enable Web Application Firewall (WAF) to protect these applications from real attacks 🛡️.

🛡️ Web Application Firewall (WAF)

So far, we have used Application Gateway for routing traffic intelligently.
Now we add the most important layer — Web Application Firewall (WAF).

💡 WAF is enabled and managed directly from the Application Gateway resource, not from the backend VMs or App Service.

WAF protects web applications from common and dangerous attacks such as:

💉 SQL Injection
🧨 Cross-Site Scripting (XSS)
🚫 Protocol violations
🤖 Malicious bots and scanners

Instead of exposing our web servers directly to the internet, WAF acts like a smart shield in front of them.

🆕 Creating a WAF Policy

To enable WAF on the Application Gateway:

Open the Application Gateway resource
Go to the Web Application Firewall blade
Click Create new to create a WAF policy

This policy will be attached to the gateway and will inspect all incoming requests.

🔍 Detection Mode vs Prevention Mode

After the policy is created, its default mode is:

👉 Detection Mode

WAF only logs suspicious requests
Traffic is still allowed to reach the application
Useful for testing without blocking real users

You can switch to:

👉 Prevention Mode

Malicious requests are actively blocked
Real protection for production environments

💡 Best Practice
Start with Detection, monitor logs, then move to Prevention.

📦 Managed Rules

Inside the WAF policy:

Go to Policy settings → Managed rules

Here you will see a large set of built-in rules provided by Microsoft (based on OWASP standards).

These rules automatically detect:

SQL injection patterns
XSS payloads
Illegal HTTP methods
Malformed requests

✅ No need to write complex security logic — WAF handles it for you.

✍ Adding Custom Rules

Apart from managed rules, we can create our own logic.

From the Custom rules blade:

Click + Add custom rule
Define conditions such as:

Block specific IP addresses
Allow only certain countries
Rate-limit requests
Deny traffic matching patterns

Example:

Block traffic if request comes from a specific IP range → Deny traffic

This gives full control over application security.

🧠 What We Achieved

By enabling WAF:

✔ Application Gateway inspects every request
✔ Common attacks are detected and blocked
✔ Security is centralized
✔ Backend VMs stay protected

🏁 Final Architecture

User → Internet
➡ Application Gateway + WAF
➡ URL Routing
➡ Video / Image Web Servers

Our web apps are now not just reachable — they are secure and enterprise-ready 🔐.

🎯 What You’ll Learn in This Blog
🧠 Core Security Concepts
⚠️ Insecure Way: Exposing VM Web App
🏢 NSG at NIC vs Subnet
☁️ Azure Web App Service
🆚 VM Hosting vs App Service Hosting
🛡️ How to Secure App Service
🏰 Analogy – The Mansion Outside the Gate
🚦 Application Gateway – The Smart Security Guard
🧪 Demo: Protect App Service with Application Gateway
💡 What We Understood from the Demo
🚇 Better Approach – Private Endpoint
🏁 Final Architecture
✅ Key Takeaways

🎯 What You’ll Learn in This Blog

In this guide we will:

Understand how Network Security Groups (NSG) protect Azure resources
Learn how IP addresses, protocols, and ports control network traffic
Compare security between:
- Web app hosted in Virtual Machine
- Web app hosted in Azure App Service
Explore why NSG cannot be used for App Service
Implement security using:
- ✅ Service Endpoints
- ✅ Private Endpoints
- ✅ Access Restrictions
Protect apps using Azure Application Gateway + WAF

By the end, you’ll know how to secure an App Service web app like an enterprise architect 🛡️.

🧠 Core Security Concepts

🔒 Network Security Group (NSG)

An NSG is a set of rules that decide:

Who can access a VM or subnet
Which traffic should be allowed or denied

NSG can be attached to:

🖥️ A VM’s Network Interface (NIC)
🏢 An entire Subnet

🌐 How Data Travels on a Network

To send data from System A → System B we need:

IP Address – where to send
Protocol – how to send (TCP/IP)

📬 What Are Ports?

Just like physical ports:

USB
HDMI
Ethernet

Computers also have virtual ports identified by numbers.

Port	Purpose
80	HTTP
443	HTTPS
22	SSH
3389	RDP
25	SMTP

NSG rules filter traffic using:

Source IP
Destination IP
Port
Protocol

💡 Think of NSG as a digital security guard checking:
“Where are you coming from? Which door are you using?”

⚠️ Insecure Way: Exposing VM Web App

To make a VM-hosted app public, people usually:

Add NSG rule to allow port 8080
Disable VM firewall

❌ This is extremely risky and NOT recommended.

🏢 NSG at NIC vs Subnet

Option 1 – Attach NSG to NIC

Works per VM
Hard to manage at scale

Option 2 – Attach NSG to Subnet

Centralized control
Best practice

📝 Note:
NSG cannot be applied to the entire VNet—only to subnets or NICs.

☁️ Azure Web App Service

Azure App Service lets you host apps without managing VMs.

✔ No OS patching
✔ No IIS management
✔ Auto scaling
✔ Managed platform

But…

❗ You don’t control its VNet or subnet
❗ NSG is NOT applicable
❗ App is public by default

🆚 VM Hosting vs App Service Hosting

Feature	VM Hosted	App Service
Infrastructure control	Full	Limited
NSG support	Yes	No
Public by default	No	Yes
Management effort	High	Low

So we need different security methods for App Service.

🛡️ How to Secure App Service

Two main approaches:

✅ Service Endpoint + Access Restriction
✅ Private Endpoint + Access Restriction

And on top of that:

👉 Application Gateway + WAF

🏰 Analogy – The Mansion Outside the Gate

VNet = Gated community
Subnet = Building
App Service = Mansion outside the gate

By default → anyone can enter the mansion 😱

We must:

Restrict public access
Allow only members of our VNet
Create a private tunnel

🚦 Application Gateway – The Smart Security Guard

Application Gateway is:

Layer 7 load balancer
Web traffic inspector
Security filter

Capabilities

✅ URL-based routing – Direct traffic to different back-end resources based on the requested URL
✅ Multi-site hosting – Host multiple websites behind a single gateway
✅ SSL termination – Handle HTTPS encryption at the gateway level
✅ WAF protection – Block common web attacks using Web Application Firewall

Key Components of Application Gateway

1. Front-end IP

This is the public or private IP address exposed by the Application Gateway.
All external users connect to this IP first.

2. HTTP Listener

The listener receives HTTP or HTTPS requests from users and passes them to routing rules for further processing.

3. Back-end Pool

This contains the actual resources where web apps are hosted, such as:

Virtual Machines running IIS
Azure App Service web apps
Or a combination of both

These resources remain protected behind the Application Gateway and are not directly exposed to the internet.

4. Routing Rules

Routing rules decide which back-end resource should handle a particular request based on:

URL path
Host name
Listener configuration

5. Backend Settings

These settings define:

Whether traffic to the backend should be HTTP or HTTPS
Port number
Session affinity
Health probe configuration

🧱 Architecture
Internet → Application Gateway → App Service
NOT → Internet → App Service directly

🧪 Demo: Protect App Service with Application Gateway

🛠️ Step 1 – Create Application Gateway

To secure the App Service web app, we first deploy an Application Gateway that will act as the single, controlled entry point from the internet to our application.

Basic Details

While creating the Application Gateway, provide the following:

Name – for example: appgw-webapp
Region – same region as the App Service
Tier – Standard v2 or WAF v2 (recommended for security)
Virtual Network – the VNet that the Application Gateway will trust and operate within

💡 The selected VNet is important because only resources inside this VNet can communicate privately with the Application Gateway.

Frontend Configuration

In the Frontend tab, choose:

Public IP address – for internet-facing applications
Private IP – only for internal applications

Since our web app must be accessed from the internet, we select Public IP.

Backend Pool Configuration

In the Backend tab:

Choose App Service as the backend target
Select the App Service created earlier

✅ This configuration tells the gateway:
“Forward incoming requests to this App Service.”

Routing Rule Configuration

The routing rule defines how traffic flows through the gateway.
It has two main parts:

Listener – receives incoming requests
Backend Target – forwards requests to the destination

Listener Settings Explained

The listener controls how the gateway accepts traffic.

Frontend IP – public IP exposed by the gateway
Protocol – HTTP or HTTPS
Port – 80 for HTTP, 443 for HTTPS
Listener Type – Basic or Multi-site

For this demo we used:

Protocol: HTTP
Port: 80
Listener Type: Basic

📌 Use Multi-site listener when hosting multiple websites behind one gateway.

1️⃣ Listener (Port 80) – How Users Talk to Application Gateway

The listener defines how users on the internet connect to the Application Gateway. When we choose HTTP on port 80, we are saying that public users will access the gateway using a normal web request like http://22.22.22.22. At this stage, the App Service is not involved yet—the listener only handles traffic between the user and the gateway.

Backend Target Settings Explained

This section links the listener to the App Service.

1. Backend Pool

Select the pool containing the App Service:

👉 backendpoolappservice

This means all requests from the listener will be sent to this App Service.

2. Backend Settings

Key values used:

Backend protocol: HTTPS – App Service requires secure communication
Port: 443 – default HTTPS port
Trusted certificate: Yes – App Service uses Microsoft-issued certificates

2️⃣ Backend Settings (Port 443) – How Gateway Talks to App Service

After receiving the request, the Application Gateway must forward it to the App Service. Azure App Service only accepts HTTPS traffic on port 443, so the backend settings use protocol HTTPS and port 443. This means there are two separate connections: one from the user to the gateway on port 80, and another secure connection from the gateway to the App Service on port 443.

3. Host Name Override (Critical Setting)

Enabled options:

✅ Override with new host name – Yes
✅ Pick host name from backend target

Why this is important?

3️⃣ Host Name Override – Why It Is Required

Think of the App Service like a person whose real name is “myapp.azurewebsites.net.”
When a user visits the Application Gateway IP, the gateway originally calls the app like:

“Hey 22.22.22.22, give me the website!”

But the App Service replies:

“That’s not my name — I don’t recognize you!” ❌

When we enable Host Name Override, the gateway changes the message to:

“Hey myapp.azurewebsites.net, give me the website!”

Now the App Service says:

“Yes, that’s me!” ✅

and it returns the page correctly.
So Host Name Override simply makes the gateway call the App Service by its real domain name instead of the gateway IP.

App Service expects requests with its original domain such as:

myapp.azurewebsites.net

Without host name override, the request comes with the gateway IP and App Service may return:

❌ 404 error
❌ Host not recognized

💡 This setting ensures Application Gateway sends the correct host header to the App Service.

Now the app is reachable via:

👉 Application Gateway public IP

🛠️ Step 2 – Add Service Endpoint

Before we can restrict access to the App Service, the Application Gateway subnet must be authorized to talk to Microsoft Web services.
This is done using a Service Endpoint.

💡 If we skip this step and try to add access restrictions first, Azure will show:
❌ “No service endpoint is present for this subnet.”

1️⃣ Open the Virtual Network of Application Gateway

Go to the Virtual Network where your Application Gateway is deployed
From the left menu, select Service endpoints

This page shows which Azure platform services are allowed to be accessed from this VNet.

2️⃣ Add the Microsoft.Web Service Endpoint

Click + Add
In the Service dropdown, select:

👉 Microsoft.Web

This option represents Azure App Service and other web-related PaaS services.

3️⃣ Select the Application Gateway Subnet

Choose the Subnet in which your Application Gateway is located
Confirm and save the configuration

This tells Azure:

“Devices inside this subnet (Application Gateway) are allowed to securely access Azure Web App services.”

What This Step Actually Does

After adding the service endpoint:

The App Service can now recognize the Application Gateway subnet
Traffic from this subnet is treated as trusted Azure backbone traffic
We are allowed to create access restriction rules referencing this subnet

Without this:

Before we can restrict access to the App Service, the Application Gateway subnet must be authorized to talk to Microsoft Web services.
This is done using a Service Endpoint.

💡 If we skip this step and try to add access restrictions first, Azure will show:
❌ “No service endpoint is present for this subnet.”

1️⃣ Open the Virtual Network of Application Gateway

Go to the Virtual Network where your Application Gateway is deployed
From the left menu, select Service endpoints

This page shows which Azure platform services are allowed to be accessed from this VNet.

2️⃣ Add the Microsoft.Web Service Endpoint

Click + Add
In the Service dropdown, select:

👉 Microsoft.Web

This option represents Azure App Service and other web-related PaaS services.

3️⃣ Select the Application Gateway Subnet

Choose the Subnet in which your Application Gateway is located
Confirm and save the configuration

This tells Azure:

“Devices inside this subnet (Application Gateway) are allowed to securely access Azure Web App services.”

What This Step Actually Does

After adding the service endpoint:

The App Service can now recognize the Application Gateway subnet
Traffic from this subnet is treated as trusted Azure backbone traffic
We are allowed to create access restriction rules referencing this subnet

Without this:

App Service cannot be locked down to the gateway
Access restriction configuration will fail

🛠️ Step 3 – Block Direct Access to App Service

Right now, the web app hosted in App Service is publicly accessible by default.
Anyone on the internet can open the app directly using:

👉 https://myapp.azurewebsites.net

Our goal is:

❌ Users must NOT access the App Service directly
✅ Users should access it ONLY through the Application Gateway

To achieve this, we configure Access Restrictions in the App Service.

1️⃣ Check Current Access Status

Open your App Service in the Azure Portal
Go to the Networking blade
Under Inbound traffic configuration, you will see:

Public network access: Enabled with no access restrictions

This means the web app is currently open to the entire internet, which is not secure.

2️⃣ Change Public Access Mode

Click on Public network access
Select the option:

👉 Enabled from select virtual networks and IP addresses

This setting tells Azure:

“Allow access only from specific VNets or IP addresses, and block everyone else.”

3️⃣ Add an Access Restriction Rule

Now we create a rule that allows traffic only from the Application Gateway subnet.

Open Access Restrictions
Click + Add

Enter the following details:

Type: Virtual Network
Virtual Network: the VNet where Application Gateway is deployed
Subnet: Application Gateway subnet
Description: e.g., restrictaccessappservice

Click Save

What This Configuration Achieves

After applying this rule:

❌ Direct access to
https://myapp.azurewebsites.net → will be BLOCKED
✅ Access through
http://<Application-Gateway-IP> → will be ALLOWED

Because now:

Only traffic coming from the trusted Application Gateway subnet is permitted.

Step 4 – Add Access Restriction

In App Service:

Networking → Public Access
Allow only:
- Selected VNet
- Gateway subnet

🧪 Result:

Direct App Service URL → BLOCKED
Gateway URL → WORKS ✅

💡 What We Understood from the Demo

When creating the Application Gateway, we place it inside a specific VNet and subnet, and this subnet becomes the network that the gateway trusts.
Next, we go to that same subnet and enable a Service Endpoint for Microsoft.Web. This step allows resources inside that subnet—mainly the Application Gateway—to securely reach the Azure App Service over the Azure backbone network.

After enabling the service endpoint, we configure Access Restrictions in the App Service to allow traffic only from this VNet/subnet. As a result:

Application Gateway resides in a trusted subnet
That subnet is authorized to communicate with App Service
App Service accepts traffic only from that subnet and blocks all other public access

🏰 Analogy Explanation

Think of it like this:

The VNet/subnet is a walled housing community
The Application Gateway is the security guard at the gate
The App Service is a mansion located outside the wall

Step 1 – Trust the Guard
We first tell the system:

“People coming from this walled community can be trusted to visit the mansion.”

Step 2 – Give a Special Pass
By adding the Service Endpoint, we give members of that community a valid pass to reach the mansion through a secure path.

Step 3 – Lock the Mansion
Inside the mansion (App Service) we set up a rule:

“Only people with that pass — meaning traffic from the Application Gateway subnet — are allowed to enter.”

Everyone else from the public street is blocked 🚫

🚇 Better Approach – Private Endpoint

Problem with Service Endpoint

It still uses public IP internally.

Private Endpoint = Underground Tunnel

Benefits:

Uses Azure backbone
No public IP involved
Most secure option

Steps for Private Endpoint

Create Private Endpoint for App Service
Use separate subnet (no service endpoint)
Disable Public Network Access

🔐 Final Result
App can ONLY be accessed via Application Gateway

🏁 Final Architecture

✔ Internet → Application Gateway (WAF)
✔ Gateway → Private Endpoint
✔ Private Endpoint → App Service
❌ Direct internet → App Service

✅ Key Takeaways

NSG works for VMs, NOT App Service
App Service is public by default
Use:
- Service Endpoint
- Private Endpoint
- Access Restrictions
- Application Gateway

🚀 Enterprise Best Practice
Never expose App Service directly to internet

🎯 What You’ll Learn in This Blog

In this blog, we will:

Deploy a web application inside an Azure Virtual Machine
Install and configure IIS + .NET 8 Hosting Bundle
Create an ASP.NET Core MVC app using Visual Studio
Publish the app and host it on the VM using IIS on port 8080
Understand why the app is accessible only locally and not via public IP
Learn the security risks of exposing VMs directly to the internet
See how Azure Application Gateway protects the web app

By the end, you’ll know how to host a real web app in a VM—and more importantly, how to secure it 🔐.

🖥️ Hosting a Web App Inside a Virtual Machine

To run a web application inside a VM, we must first turn the VM into a web server.

🧰 Step 1 – Connect to the VM

Use Remote Desktop (RDP) to log in to your Azure VM
Open Server Manager

🌐 Step 2 – Install IIS (Web Server)

Go to
👉 Server Manager → Add Roles and Features
Select:
✔ Web Server (IIS) role
✔ Under features, enable IIS 6 Management Compatibility
Wait for installation to finish ⏳

After installation you will see:

C:\inetpub\wwwroot

This folder contains the default IIS landing page.

✅ You can test it inside the VM by opening:
http://localhost

⚙️ Step 3 – Install .NET 8 Hosting Bundle

Download and install the latest .NET 8 Hosting Bundle inside the VM so IIS can run ASP.NET Core apps.

💡 Without this bundle, IIS cannot host .NET applications.

💻 Creating the Web App in Visual Studio

🧪 Step 4 – Build an ASP.NET Core App

Open Visual Studio
Create a project:
👉 ASP.NET Core Web App (Model–View–Controller)
Make a small UI change to:
- Home → Index.cshtml
  (so you can recognize your app later)

📦 Step 5 – Publish as Folder

Right click project → Publish
Choose → Publish to Folder

In settings select:

✅ Self-contained deployment
(so app runs without external dependencies)

Copy the published folder into the VM.

🚀 Hosting the App in IIS

🛠️ Step 6 – Configure IIS Website

Open IIS Manager in the VM
Remove the default website
Click Add Website

Configure:

📁 Physical path → your published folder
🌐 Port → 8080

📌 The publish folder must be the parent of the wwwroot folder.

👀 Step 7 – Test Locally

Click Browse :8080

Your web app opens at:

👉 http://localhost:8080

🎉 The app is now running inside the VM!

❗ Local Access vs Public Access

Right now:

✅ App works inside the VM
❌ App is NOT accessible using the VM’s public IP

You could open port 8080 to the internet…
👉 But this is a BAD idea.

🔐 Securing the Web App in VM

Exposing a VM directly to the internet introduces serious risks.

⚠️ Common Security Threats

🚨 DDoS Attacks
Bots flood your app with requests so real users cannot access it.
🧨 Cross-Site Scripting (XSS)
Malicious scripts injected into your pages.
💉 SQL Injection
Attackers manipulate database queries.
📉 HTTP Protocol Violations
Malformed requests to crash or exploit the app.

❌ Opening inbound port 8080 is NOT recommended
Even RDP port should be closed in production.

🛡️ The Right Solution – Application Gateway

Instead of exposing the VM:

All traffic should enter through Azure Application Gateway
Gateway validates and filters requests
Only safe traffic reaches the web app

✅ Benefits

Web Application Firewall (WAF)
DDoS protection
SSL termination
Central entry point
No direct VM exposure

🧠 Architecture Idea
Internet → Application Gateway → VM Web App
NOT → Internet → VM directly

🧩 Final Thoughts

You have now learned:

How to convert a VM into a web server
Host an ASP.NET Core app in IIS
Why local access ≠ public access
The dangers of exposing VMs
The importance of Application Gateway

🚀 Real-world rule:
Never expose VMs directly—always use a gateway!

February 5, 2026

🌐 1 – Azure Virtual Network Basics

🎯 What You’ll Learn in This Blog
📘 Understanding Azure Virtual Network: Your Gateway to Secure Cloud Architecture
🏘️ Virtual Network as a Gated Community – Simple Analogy
🔢 IP Address and CIDR Notation Explained
🧩 VNet vs Subnet
🛠️ Creating VNets in Azure
🖥️ Adding a Virtual Machine to a VNet
🌍 Public IP vs Private IP
🤔 Why Do We Need Azure Virtual Network?
✅ Final Thoughts

🎯 What You’ll Learn in This Blog

In this blog, we will:

Understand why Azure Virtual Network (VNet) is required in cloud environments
Learn how VNets provide isolation and security on shared Azure infrastructure
Use a simple gated community analogy to visualize networking concepts
Understand IP addressing and CIDR notation
Explore the difference between VNet and Subnet
See how to create VNets and attach Virtual Machines
Understand Public IP vs Private IP and real-world security best practices

By the end, you’ll clearly understand how Azure networking protects your resources and how traffic flows inside the cloud 🚀.

📘 Understanding Azure Virtual Network: Your Gateway to Secure Cloud Architecture

Azure resources such as Virtual Machines, databases, and applications run on shared physical servers. That means multiple organizations may be using the same underlying hardware.

👉 So how does Azure keep your environment separate and secure?

This is where Azure Virtual Network (VNet) comes in.

VNets create a logically isolated network for your subscription so that:

Your data is separated from other organizations
Communication between your resources stays private
You can fully control inbound and outbound traffic

🔐 Key Idea:
Even though the hardware is shared, VNet ensures your network behaves like your own private data center.

🏘️ Virtual Network as a Gated Community – Simple Analogy

Let’s simplify Azure networking with a real-life example.

Imagine a gated housing community:

🏡 Entire community → Virtual Network (VNet)
🧱 Boundary wall → Firewall
🏢 Buildings → Subnets
🏠 Apartments → Virtual Machines (VMs)
👮 Main security guard → Application Gateway / Load Balancer
🔑 Buzzer system → Network Security Group (NSG)

What does the main security guard do?

The Application Gateway or Load Balancer performs three major tasks:

✅ Check ID – Authenticate & authorize traffic
✅ Check availability – Is the destination healthy?
✅ Find alternative – Route to another VM if needed

Each building (subnet) can also have its own security system—just like an NSG that filters traffic at subnet or VM level.

🧠 Analogy Summary
VNet = Community
Subnet = Building
VM = Apartment
NSG = Door security
Gateway = Main entrance guard

🔢 IP Address and CIDR Notation Explained

Whenever we create a VNet or subnet, we must define an IP address range.

IPv4 Basics

An IPv4 address looks like:

97.87.3.1

It has 4 parts
Each part = 8 bits
Value ranges from 0 to 255 (because 2⁸ = 256)

📐 What is CIDR Notation?

CIDR notation defines how big a network is.

Example:

👉 100.8.0.0/24

/24 → first 24 bits = network portion
Remaining 8 bits = device addresses
Total addresses = 2⁸ = 256

📌 Important Rule
➕ More bits for network → ➖ fewer devices
➖ Fewer bits for network → ➕ more devices

🧩 VNet vs Subnet

VNet = Full address space
Subnet = Smaller range inside the VNet

Example

VNet → 100.8.0.0/24 → 256 possible IPs
Subnet → 100.8.0.0/28 → only 16 IPs (2⁴)

🏙️ Think of it like:
City = VNet
Neighborhood = Subnet

🛠️ Creating VNets in Azure

🛠️ Steps to Create a Virtual Network and Subnet in Azure

Follow these steps in the Azure Portal to set up your Virtual Network (VNet) and subnet.

Open https://portal.azure.com
Log in with your Azure account
Click Create a resource from the home page

✅ Step 2 – Locate the Virtual Network Service

In the search bar, type Virtual Network
Select Virtual Network from the results
Click Create

✅ Step 3 – Provide Basic Details

In the Basics tab, enter:

Subscription – Choose your Azure subscription
Resource Group – Select existing or create new
Name – Example: MyVNet
Region – Choose the closest region

Then click Next: IP Addresses

✅ Step 4 – Configure VNet Address Space

Define the IP range for the whole network.

Default example: 10.0.0.0/16
Custom example: 100.8.0.0/24

💡 The address range must not overlap with other VNets or on-prem networks.

✅ Step 5 – Add a Subnet

Click Add Subnet
Enter:

Subnet name – e.g., WebSubnet
Address range – e.g., 100.8.0.0/28

Click Add

⚠️ Azure automatically reserves the first 5 IP addresses in every subnet for internal use.

✅ Step 6 – Optional Security Settings

You may enable:

Azure Firewall
DDoS Protection
Bastion Host

These can also be configured later.

Click Next: Tags → then Review + Create

While creating a VNet in the Azure portal you can:

Choose the address range
Rename the default subnet
Add additional subnets
Let Azure handle non-overlapping ranges

We can add more subnets to an existing virtual network.

⚠️ Azure Reserved IPs

Azure automatically reserves the first 5 IP addresses in every subnet for internal management.

So they cannot be assigned to your VMs.

💡 Example
If subnet starts at 10.0.0.0
→ 10.0.0.0 to 10.0.0.4 are reserved by Azure

🖥️ Adding a Virtual Machine to a VNet

When creating a VM, Azure asks you to select:

The Virtual Network
The Subnet

This ensures the VM becomes part of your private cloud network and follows all NSG and routing rules.

🌍 Public IP vs Private IP

🟢 Private IP

Used for communication inside VNet
Not reachable from the internet
Unique within the VNet

🔴 Public IP

Used for global internet access
Exposes the resource to external traffic
Higher security risk

❓ Why Do We Need Both?

To improve security:

❌ Block public IP on individual VMs
✅ Allow access only through Application Gateway
🌐 Only the gateway gets a public IP

🔐 Best Practice
In real environments, all requests should enter via Application Gateway, not directly to VMs.

This minimizes attack surface and gives full control.

🤔 Why Do We Need Azure Virtual Network?

Because in Azure:

Physical servers are shared
Multiple subscriptions coexist
Security and isolation are mandatory

VNet ensures:

✅ Organization-level isolation
✅ Secure communication
✅ Controlled internet exposure
✅ Enterprise-grade networking

🚀 Without VNet → open playground
With VNet → secured private fortress

✅ Final Thoughts

Azure Virtual Network is the foundation of cloud networking. Understanding:

VNets
Subnets
CIDR
NSG
Application Gateway
Public vs Private IP

is essential for:

Azure administration
AZ-104 certification
Real-world cloud architecture

You’ve now taken the first step toward mastering Azure networking 💪.

February 5, 2026

Category: Azure Networking Basic

4 – Application Gateway In Detail

Table of Contents

🎯 What You’ll Learn

STEP 1 : 🖥️ Creating Two Ubuntu Web Servers

🎯 Goal of This Setup

🔐 Network & NSG Configuration

Modify NSG Rules

🧰 Install Nginx on Both VMs

🎬 Configure First VM – Video Web Server

🖼️ Configure Second VM – Image Web Server

✅ What We Have Achieved So Far

STEP 2:🚦 Implement URL Routing Using Application Gateway

🧱 Prerequisite – Empty Subnet for Application Gateway

🌐 Create Frontend IP

🧩 Create Backend Pools

🎧 Configure Listener

🎯 Configure Backend Targets

🔀 Add Path-Based Routing Rules

Rule 1 – Videos

Rule 2 – Images

🧪 Test the Setup

🔐 Final Architecture Result

💡 What We Achieved

🛡️ Web Application Firewall (WAF)

🆕 Creating a WAF Policy

🔍 Detection Mode vs Prevention Mode

📦 Managed Rules

✍ Adding Custom Rules

🧠 What We Achieved

🏁 Final Architecture

🔐 3- Security For Web App Hosted in App Service

Table of Contents

🎯 What You’ll Learn in This Blog

🧠 Core Security Concepts

🔒 Network Security Group (NSG)

🌐 How Data Travels on a Network

📬 What Are Ports?

⚠️ Insecure Way: Exposing VM Web App

🏢 NSG at NIC vs Subnet

Option 1 – Attach NSG to NIC

Option 2 – Attach NSG to Subnet

☁️ Azure Web App Service

🆚 VM Hosting vs App Service Hosting

🛡️ How to Secure App Service

🏰 Analogy – The Mansion Outside the Gate

🚦 Application Gateway – The Smart Security Guard

Capabilities

Key Components of Application Gateway

1. Front-end IP

2. HTTP Listener

3. Back-end Pool

4. Routing Rules

5. Backend Settings

🧪 Demo: Protect App Service with Application Gateway

🛠️ Step 1 – Create Application Gateway

Basic Details

Frontend Configuration

Backend Pool Configuration

Routing Rule Configuration

Listener Settings Explained

1️⃣ Listener (Port 80) – How Users Talk to Application Gateway

Backend Target Settings Explained

2️⃣ Backend Settings (Port 443) – How Gateway Talks to App Service

Why this is important?

3️⃣ Host Name Override – Why It Is Required

🛠️ Step 2 – Add Service Endpoint

1️⃣ Open the Virtual Network of Application Gateway

2️⃣ Add the Microsoft.Web Service Endpoint

3️⃣ Select the Application Gateway Subnet

What This Step Actually Does

1️⃣ Open the Virtual Network of Application Gateway

2️⃣ Add the Microsoft.Web Service Endpoint

3️⃣ Select the Application Gateway Subnet

What This Step Actually Does

🛠️ Step 3 – Block Direct Access to App Service

1️⃣ Check Current Access Status

2️⃣ Change Public Access Mode

3️⃣ Add an Access Restriction Rule

What This Configuration Achieves