Is it possible to have security rules for different backend pools of an Azure Application Gateway?

by Nicolas Mommaerts   Last Updated October 17, 2018 15:00 PM - source

I have an Azure Application Gateway in front of an AKS cluster. The cluster has some internal IP addresses published through an Internal Load Balancer, so with ip addresses from the subnet where the cluster resides in.

I have defined a Network Security Group on the subnet of the Gateway and am able to deny/allow all traffic to the internal ip addresses using wildcards.

However, I want to control the traffic more granular, I want to allow one external ip access to a certain backend pool of the Gateway, and another external ip access to another backend pool. I tried to use the Internal Load Balancer ip's in the destination but that doesn't seem to work. In fact, I don't know what the destination ip would be for incoming traffic, as I can't even block incoming traffic when I put the Gateway's ip as destination, only when I use * I can block all incoming traffic.

I could solve it by using multiple Gateways but that gets expensive real fast.

Answers 1

No, you cant do that with NSG (unless you are using multiple gateways). You might be able to do that with some firewall appliance.

October 17, 2018 14:36 PM

Related Questions

Azure NSG not allowing traffic

Updated January 03, 2018 00:00 AM

Azure firewall vs Azure network security group

Updated April 12, 2019 07:00 AM

Azure data factory movement - source IP addresses

Updated June 30, 2017 11:00 AM

Use Azure Public IP With On Prem VM

Updated March 09, 2017 11:00 AM