![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 40%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,003 questions
Hello @sindhu sneha ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know the best approach to restrict direct access to Azure app service backend while permitting frontend and API requests through Application Gateway with WAF.
To restrict direct access to your backend app service, you can refer the below recommended options:
- Configure Access restriction rules based on service endpoints. This allows you to lock down inbound access to the app making sure the source address is from Application Gateway. Refer: https://video2.skills-academy.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#set-a-service-endpoint-based-rule
- Use Azure App Service static IP restrictions. For example, you can restrict the web app so that it only receives traffic from the application gateway. Use the app service IP restriction feature to list the application gateway Public IP as the only address with access. Refer: https://video2.skills-academy.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli#add-an-access-restriction-rule
You can configure other access restrictions or whitelist other IPs or service tags depending upon your exact requirement.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.