The Azure docs contain a walkthrough of configuring an Application Gateway in front of a multi-tenant web app. This is all good and well, but after going through these powershell scripts, a user is still able to directly hit your public website. Meaning, users are not necessarily forced to pass through the application gateway.
To enable this behaviour, you need to combine the above walkthrough with the IP Restrictions capability of web apps.
If you follow the second [script][script] on the application gateway configuration documentation item, you end up with a resource group which has the following resources:
I altered this script a bit to take a different region closer to me. Also, I altered the script to use the Standard app service plan SKU, since IP restrictions are not possible in the free or shared SKU’s.
Next, you need to get the public IP of your application gateway. You can find this either in the application gateway resource, or in the public IP resource.
Once you have this, in your web app, you can go to networking:
And there open the IP restrictions blade. Here you can now add a IP restriction rule for the IP of the application gateway.
Once you have this, directly going to the URL of the web app will not be possible anymore.
While going through the application gateway is no problem.
And that’s all you need to protect a public web app with a application gateway and/or a WAF. (for the latter, just enable the feature on the app gateway).