Create a virtual network for protecting a storage account in Azure

@Steve

Answering your questions here-

• I saw the information at https://video2.skills-academy.com/en-us/azure/virtual-network/quick-create-portal but do we need two virtual machines for our situation?

The above article is a generic article for creating VMs in a VNET. In general there is no rule on the resources in a VM i.e.,You can have any resources in your VNET or not have any resources at all.

• Our networking team has no experience with Azure and doesn't know what address range to use for the App Gateway subnet and Backend subnet. How can this be found/determined?
  For the App GW VM address space, you can use any private address range given in the RFC 1918 i.e.,

10. 0.0.0 - 10.255.255.255 (10/8 prefix)
11. 16.0.0 - 172.31.255.255 (172.16/12 prefix)
12. 168.0.0 - 192.168.255.255 (192.168/16 prefix)

However, please make sure that the address space that you choose does not conflict with your local network (if you plan to use a VPN to connect to this App GW).

• How do we determine if our Frontend IP has to be Public or Private?

If you need your application GW to be accessible publicly, you need a public IP. If you need it to be only privately accessible for internal use inside Azure or via VPN privately from your local network then you can use private IPs.

• For what use cases, does one need to configure an application gateway with TLS termination using the Azure portal and is it needed for our use case?
  As you know TLS is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and encrypted. So if you need your application traffic to be encrypted for security purposes, you may enable either TLS termination or end to end TLS encryption. Here are more details regarding both of these features here.
• What else needs to be done to ensure our app service, app, storage account remain safe?

To ensure safety of your resources behind App GW, you have multiple options. One of the basic ways is to make sure that you are restricting inbound IPs/ports using the NSGs. You can also implement Azure Storage Firewalls and Azure Web Application Firewalls if you want to further secure your applications.

• Now, I see that you explained your possible setup here-

"So for our use case, I create a virtual machine in Azure, enclose it within a virtual network, create a front end subnet, back-end subnet, create network security group so that traffic from Internet goes to front-end subnet, is processed by network security group, then goes to back end subnet which contains the virtual machine which has the storage account containing our HTML files?"

Just to give you a better Idea about App Gateway, here is a document that explains the different components of an Application Gateway.

With respect to configuring a VNET for your App GW-

"An application gateway is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the application gateway. You can have multiple instances of a given application gateway deployment in a subnet. You can also deploy other application gateways in the subnet. But you can't deploy any other resource in the application gateway subnet."

As mentioned, you will need to create a Virtual Network for your App GW with a dedicated subnet for the App GW. Regarding the back end, the back end can be any of the following for an App GW-

-NICs
-Virtual machine scale sets
-Public IP addresses
-Internal IP addresses
-FQDN
-Multitenant backends (such as App Service)

So depending upon your backend you would either need to create a new subnet for the same or use an existing resource from the above. If you have an existing App Service, you would choose that as your backend.

I hope this was helpful. If you want any further assistance with regards to your setup, please feel free to let us know and we will be glad to assist. Thank you!