@Jessie ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are planning to deploy a 3rd party application/service in Azure and use Application Gateway as a Proxy for the service.
Currently, Application Gateway supports the following backends,
- NICs
- Virtual machine scale sets
- Public IP addresses
- Internal IP addresses
- FQDN
- Multitenant backends (such as App Service)
See : Backend pools
Since the application is 3rd party, I will not be able to share any specific documents integrating it with App Gateway.
- However, as long as the backend Pool serves HTTP and HTTPS Traffic (in any port), you should be able to integrate it with App gateway.
- You just have to make sure the Health Probes succeed, i.e., the backend is reachable by App Gateway
- If the backend is in Azure VNET, make sure the subnet in which Azure Application gateway is deployed is allowed access to the backend resource (Network rules must allow the subnet range) I see this is your case and App gateway in Hub and backend in Spoke VNET will work as long as the above condition is met.
- In case the backend is outside Azure, make sure the Networking rules allow the Public IP of the App Gateway.
This may come in handy : Direct web traffic with Azure Application Gateway.
With respect to Azure Firewall,
- I see your clients are outside the Network.
- Do you want the traffic to first reach Azure Firewall and then go to Azure App gateway? See : Firewall and Application Gateway for virtual networks
- The above configuration is rather complicated and you can use the flow chart available there to decide what type of configuration better suits you
See : Application Gateway before Firewall
- You can also consider using WAF SKU App Gateway for security measures. Check out it's features here : WAF Features
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil