David Santiago
David Santiago ☁️☁️☁️

Expose on-premise applications with Application Gateway, and share those applications privately to Azure partners

Expose on-premise applications with Application Gateway, and share those applications privately to Azure partners

Load balancing on-premise applications from Azure with Application Gateway is possible. The intent of this article is to explain how to achieve that, but also detail how to share these on-premise applications to a partner using Azure Application Gateway + Private Link (preview), all privately.

Load Balance on-premise applications from Azure

Architecture:

ag-lb-onprem

The terraform code to provision above infrasture is available on my GitHub.

Description:

  • Two on-premises sites (emulated) are establishing S2S VPN to Azure hub-vnet.
  • site1-vm and site2-vm host an apache2 web server
  • ApplicationGateway in hub-vnet has a Private Listener on port 80, Load Balancing HTTP traffic to site1-vm:80 and site2-vm:80 machines

This architecture is interesting when there is no on-premise load balacing solution available or if it is not possible to rely on it/them.

Load balancing illustration: ag-lb-onprem

Result of $ curl http://10.221.1.134 from hub-vm:

ag-lb-onprem

Result: Azure VMs are able to reach Azure Application Gateway which Load Balance traffic to on-premise applications.

Note: if backend machines expose websites through HTTPS using a custom (or corporate) Certificate Authority, it must be trusted by Application Gateway. It is required to upload the root certificate to Application Gateway’s HTTP Settings.

Now that we have managed to load balance traffic to on-premise applications, let’s try to share those applications with partners which use Azure.

Share those on-premise applications to Azure partners, privately!

Private link support in Azure Application Gateway is in preview since June 2022.

Let’s use this preview feature to create a Private Endpoint in Fabrikam tenant that will point to Contoso’s Application Gateway 🔥🔥.

Architecture: ag-lb-onprem

Step-by-step configuration:

  • Contoso tenant: Configure Private Link configuration - it defines the infrastructure used by Application Gateway to enable connections from Private Endpoints.

    ag-lb-onprem

  • Fabrikam tenant: Create the Private Endpoint

    ag-lb-onprem

    • Indicate the Resource ID of Application Gateway. Target sub-resource value must be the Private Frontend IP configuration name.

    ag-lb-onprem

    • Provide the vnet/subnet where the Private Endpoint will be created.

    ag-lb-onprem

    • After creation, the Private Endpoint connection status indicates Pending, it means that the connection must be approved on Contoso tenant. ag-lb-onprem

  • Contoso tenant: Approve Private Endpoint connection request from Fabrikam tenant

    ag-lb-onprem

Result of $ curl http://10.3.0.5 from fabrikam-vm:

ag-lb-onprem

It works 🔥🔥

References

comments powered by Disqus