Step 1 \u2013 Create the Application Gateway<\/h2>\n\n\n\n
Here\u2019s how to configure the Application Gateway to use a custom domain and establish HTTPS communication with the Storage Account.<\/p>\n\n\n\n
Create the Application Gateway<\/h3>\n\n\n\n\n- In the Azure Portal, select\u00a0Create a resource<\/strong>.<\/li>\n\n\n\n
- Search for an select the\u00a0Application Gateway<\/strong>\u00a0resource.<\/li>\n\n\n\n
- Select the\u00a0Subscription\u00a0<\/strong>and\u00a0Resource Group<\/strong>\u00a0where the App Gateway will be hosted.<\/li>\n\n\n\n
- Provide a descriptive name and select the same Region as the Storage Account.<\/li>\n\n\n\n
- Choose the\u00a0Basic Tier<\/strong>\u00a0to minimise costs, although any tier should work.<\/li>\n\n\n\n
- Select or create a\u00a0Virtual network<\/strong>\u00a0and\u00a0Subnet\u00a0<\/strong>to host the App Gateway. This will be used to limit access directly to the Storage Account later.<\/li>\n\n\n\n
- Under the Frontends stage, select an existing\u00a0Public IP<\/strong>\u00a0or create one.<\/li>\n\n\n\n
- Under the Backends stage, select\u00a0Add a backend pool<\/strong>, then provide a descriptive\u00a0name<\/strong>\u00a0and enter the\u00a0FQDN<\/strong>\u00a0of your Storage Account.\n
\n- In my case this is \u201ctestingstorage32565.blob.core.windows.net<\/em>\u201c.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Navigate to the\u00a0Configuration<\/strong>\u00a0stage and select\u00a0Add a routing rule<\/strong>.<\/li>\n<\/ol>\n\n\n\n
There\u2019s quite a bit we need to do here, so let\u2019s break it down to make sure it\u2019s understandable.<\/p>\n\n\n\n
Add a Routing Rule<\/h3>\n\n\n\n\n- Provide a descriptive\u00a0Rule name<\/strong>, and select a\u00a0Priority<\/strong>, 100 is a good default unless you need otherwise.<\/li>\n\n\n\n
- Configure the Listener, which \u201clistens\u201d for traffic on a given port and IP address and which we\u2019ll use to redirect traffic from the App Gateway to the Storage Account.\n
\n- Provide a descriptive\u00a0Listener name<\/strong><\/li>\n\n\n\n
- Select\u00a0HTTPS\u00a0<\/strong>as the\u00a0Frontend IP Protocol\u00a0<\/strong>to ensure end-to-end encryption.<\/li>\n\n\n\n
- Upload a certificate which covers the domain name we\u2019ll use for the Application Gateway itself or select an existing Certificate from a Key Vault. Eg\u00a0storage.swilkinson.online<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/sysadmin-central.com\/wp-content\/uploads\/2024\/09\/image-10.png?w=826\")
Example configuration of the Application Gateway Listener<\/figcaption><\/figure>\n\n\n\n\n- Next, configure the\u00a0Backend targets<\/strong>\u00a0by selecting the tab at the top of the Add a routing table prompt.\n
\n- Select the\u00a0Backend target<\/strong>\u00a0you created earlier.<\/li>\n\n\n\n
- Select\u00a0Add new<\/strong>\u00a0and create a new\u00a0Backend Setting<\/strong>, ensuring you follow the steps outlined in the \u201cAdd a Backend Setting<\/strong>\u201d section below.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Once that\u2019s all configured, click\u00a0Add<\/strong>\u00a0to finish configuring the routing rule.<\/li>\n\n\n\n
- Continue through the configuration wizard and select\u00a0Create<\/strong>\u00a0to create the Application Gateway.<\/li>\n<\/ol>\n\n\n\n
Add a Backend Setting<\/h3>\n\n\n\n
These steps should be configured as part of the Add a Routing Rule section above but may also be used as a reference.<\/p>\n\n\n\n
\n- Provide a descriptive\u00a0Backend setting name<\/strong>.<\/li>\n\n\n\n
- Select\u00a0HTTPS<\/strong>\u00a0as the\u00a0Backend protocol<\/strong>\u00a0to ensure End-to-End Encryption.<\/li>\n\n\n\n
- Set \u201cBackend server\u2019s certificate is issued by a well-known CA\u201d to\u00a0Yes<\/strong>.<\/li>\n\n\n\n
- Set \u201cOverride with new host name\u201d to\u00a0Yes<\/strong>.<\/li>\n\n\n\n
- Select\u00a0Override with specific domain name<\/strong>\u00a0under the Host name override section.<\/li>\n\n\n\n
- Set the\u00a0Host name<\/strong>\u00a0to the host name of the Storage Account. In my case this is \u201ctestingstorage32565.blob.core.windows.net<\/em>\u201c. If this is not done correctly, you will receive a \u201cThe request URI is invalid\u201d error when trying to connect.<\/li>\n\n\n\n
- Select\u00a0Yes<\/strong>\u00a0to \u201cCreate custom probes\u201d, then select Add to create the setting.<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/sysadmin-central.com\/wp-content\/uploads\/2024\/09\/image-11.png?w=832\")
Example of a valid configuration for the Backend setting<\/figcaption><\/figure>\n\n\n\nNote<\/strong>: The Basic-tier Application Gateway only allows you to configure up to 5 backend pool targets and 5 routing rules.<\/p>\n\n\n\nStep 2 \u2013 Configure the Created Application Gateway<\/h2>\n\n\n\n
The Basic-tier Application gateway can take some time to provision, once created, navigate to it as there\u2019s some additional configuration we need to do before it\u2019ll work as expected.<\/p>\n\n\n\n
Modify the Custom Health Probe<\/h3>\n\n\n\n
For the routing to work correctly, we must modify the Health probe that was created to update the status code match since the Storage Account returns a 400 HTTP code in this case.<\/p>\n\n\n\n
\n- Navigate to Health probes under Settings and select the only configured probe.<\/li>\n\n\n\n
- Update the\u00a0HTTP response status code match<\/strong>\u00a0to 200-400 instead of the default 200-399 value.<\/li>\n\n\n\n
- Optionally, uncheck \u201cI want to test the backend health before adding the health probe\u201d if your Storage Account is not currently accessible to the Application Gateway.<\/li>\n\n\n\n
- Select\u00a0Test\u00a0<\/strong>or\u00a0Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/sysadmin-central.com\/wp-content\/uploads\/2024\/09\/image-12.png?w=707\")
An example of a valid Custom Health probe<\/figcaption><\/figure>\n\n\n\nStep 3 \u2013 Map a DNS Record<\/h2>\n\n\n\n
Now that we\u2019ve configured the Web Application, we now need to map a domain name to the public IP of the Application Gateway. This can be any valid domain covered by the SSL Certificate you configured earlier.<\/p>\n\n\n\n
Advertisement<\/p>\n\n\n\n
The DNS record should be an A type DNS record.<\/p>\n\n\n\n![\"\"](\"https:\/\/sysadmin-central.com\/wp-content\/uploads\/2024\/09\/image-13.png?w=571\")
An example Azure DNS A record configuration<\/figcaption><\/figure>\n\n\n\nStep 4 \u2013 Lock Down Storage Account Access<\/h2>\n\n\n\n
By default, Storage Accounts allow public network access. To ensure that traffic only flows through the Application Gateway, you\u2019ll need to lock down the Storage Account\u2019s network access.<\/p>\n\n\n\n
\n- Navigate to the Storage Account you\u2019ve configured.<\/li>\n\n\n\n
- Go to the\u00a0Networking<\/strong>\u00a0blade.<\/li>\n\n\n\n
- Under\u00a0Public Network Access<\/strong>, select\u00a0Enabled from selected virtual networks and IP addresses<\/strong>.<\/li>\n\n\n\n
- Add your Application Gateway\u2019s subnet under the\u00a0Virtual Networks<\/strong>\u00a0section, and also add any specific IP addresses if needed.<\/li>\n\n\n\n
- This setting ensures that only traffic routed through the Application Gateway (and the configured IPs<\/em>) can reach your Storage Account.<\/li>\n<\/ol>\n\n\n\n
To manage the Storage Account using the Azure portal (e.g., via the Storage Browser), you need to whitelist your public IP address.<\/p>\n\n\n\n![\"\"](\"https:\/\/sysadmin-central.com\/wp-content\/uploads\/2024\/09\/image-14.png?w=820\")
Example configuration of Storage Account, showing it locked down to the Application Gateway and my own client IP only.<\/figcaption><\/figure>\n\n\n\nStep 5 \u2013 Final Security Check<\/h2>\n\n\n\n
Ensure that the Storage Account\u2019s direct URL (yourstorageaccount.blob.core.windows.net<\/code>) is not accessible from any public IP. Only traffic coming through the Application Gateway should be able to access it.<\/p>\n\n\n\nYou can test this by trying to access the Storage Account URL directly from a machine not in the allowed IP address range or virtual network. The request should be denied, confirming that your security settings are working as intended.<\/p>\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n
At this point, all going well you will have a fully secured Application Gateway fronting your Storage Account, which is configured to ensure End-to-End Encryption and which is configured to be as cost effective as possible.<\/p>\n","protected":false},"excerpt":{"rendered":"
Prerequisites You\u2019ll need the following in-place already. Step 1 \u2013 Create the Application Gateway Here\u2019s how to configure the Application Gateway to use a custom domain and establish HTTPS communication with the Storage Account. Create the Application Gateway There\u2019s quite a bit we need to do here, so let\u2019s break it down to make sure […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,35],"tags":[],"class_list":["post-3529","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud-computing"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3529"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3529\/revisions"}],"predecessor-version":[{"id":3530,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3529\/revisions\/3530"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- \n
- In my case this is \u201ctestingstorage32565.blob.core.windows.net<\/em>\u201c.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Navigate to the\u00a0Configuration<\/strong>\u00a0stage and select\u00a0Add a routing rule<\/strong>.<\/li>\n<\/ol>\n\n\n\n
There\u2019s quite a bit we need to do here, so let\u2019s break it down to make sure it\u2019s understandable.<\/p>\n\n\n\n
Add a Routing Rule<\/h3>\n\n\n\n
- \n
- Provide a descriptive\u00a0Rule name<\/strong>, and select a\u00a0Priority<\/strong>, 100 is a good default unless you need otherwise.<\/li>\n\n\n\n
- Configure the Listener, which \u201clistens\u201d for traffic on a given port and IP address and which we\u2019ll use to redirect traffic from the App Gateway to the Storage Account.\n
- \n
- Provide a descriptive\u00a0Listener name<\/strong><\/li>\n\n\n\n
- Select\u00a0HTTPS\u00a0<\/strong>as the\u00a0Frontend IP Protocol\u00a0<\/strong>to ensure end-to-end encryption.<\/li>\n\n\n\n
- Upload a certificate which covers the domain name we\u2019ll use for the Application Gateway itself or select an existing Certificate from a Key Vault. Eg\u00a0storage.swilkinson.online<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Example configuration of the Application Gateway Listener<\/figcaption><\/figure>\n\n\n\n - \n
- Next, configure the\u00a0Backend targets<\/strong>\u00a0by selecting the tab at the top of the Add a routing table prompt.\n
- \n
- Select the\u00a0Backend target<\/strong>\u00a0you created earlier.<\/li>\n\n\n\n
- Select\u00a0Add new<\/strong>\u00a0and create a new\u00a0Backend Setting<\/strong>, ensuring you follow the steps outlined in the \u201cAdd a Backend Setting<\/strong>\u201d section below.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Once that\u2019s all configured, click\u00a0Add<\/strong>\u00a0to finish configuring the routing rule.<\/li>\n\n\n\n
- Continue through the configuration wizard and select\u00a0Create<\/strong>\u00a0to create the Application Gateway.<\/li>\n<\/ol>\n\n\n\n
Add a Backend Setting<\/h3>\n\n\n\n
These steps should be configured as part of the Add a Routing Rule section above but may also be used as a reference.<\/p>\n\n\n\n
- \n
- Provide a descriptive\u00a0Backend setting name<\/strong>.<\/li>\n\n\n\n
- Select\u00a0HTTPS<\/strong>\u00a0as the\u00a0Backend protocol<\/strong>\u00a0to ensure End-to-End Encryption.<\/li>\n\n\n\n
- Set \u201cBackend server\u2019s certificate is issued by a well-known CA\u201d to\u00a0Yes<\/strong>.<\/li>\n\n\n\n
- Set \u201cOverride with new host name\u201d to\u00a0Yes<\/strong>.<\/li>\n\n\n\n
- Select\u00a0Override with specific domain name<\/strong>\u00a0under the Host name override section.<\/li>\n\n\n\n
- Set the\u00a0Host name<\/strong>\u00a0to the host name of the Storage Account. In my case this is \u201ctestingstorage32565.blob.core.windows.net<\/em>\u201c. If this is not done correctly, you will receive a \u201cThe request URI is invalid\u201d error when trying to connect.<\/li>\n\n\n\n
- Select\u00a0Yes<\/strong>\u00a0to \u201cCreate custom probes\u201d, then select Add to create the setting.<\/li>\n<\/ol>\n\n\n\n
Example of a valid configuration for the Backend setting<\/figcaption><\/figure>\n\n\n\n Note<\/strong>: The Basic-tier Application Gateway only allows you to configure up to 5 backend pool targets and 5 routing rules.<\/p>\n\n\n\n
Step 2 \u2013 Configure the Created Application Gateway<\/h2>\n\n\n\n
The Basic-tier Application gateway can take some time to provision, once created, navigate to it as there\u2019s some additional configuration we need to do before it\u2019ll work as expected.<\/p>\n\n\n\n
Modify the Custom Health Probe<\/h3>\n\n\n\n
For the routing to work correctly, we must modify the Health probe that was created to update the status code match since the Storage Account returns a 400 HTTP code in this case.<\/p>\n\n\n\n
- \n
- Navigate to Health probes under Settings and select the only configured probe.<\/li>\n\n\n\n
- Update the\u00a0HTTP response status code match<\/strong>\u00a0to 200-400 instead of the default 200-399 value.<\/li>\n\n\n\n
- Optionally, uncheck \u201cI want to test the backend health before adding the health probe\u201d if your Storage Account is not currently accessible to the Application Gateway.<\/li>\n\n\n\n
- Select\u00a0Test\u00a0<\/strong>or\u00a0Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
An example of a valid Custom Health probe<\/figcaption><\/figure>\n\n\n\n Step 3 \u2013 Map a DNS Record<\/h2>\n\n\n\n
Now that we\u2019ve configured the Web Application, we now need to map a domain name to the public IP of the Application Gateway. This can be any valid domain covered by the SSL Certificate you configured earlier.<\/p>\n\n\n\n
Advertisement<\/p>\n\n\n\n
The DNS record should be an A type DNS record.<\/p>\n\n\n\n
An example Azure DNS A record configuration<\/figcaption><\/figure>\n\n\n\n Step 4 \u2013 Lock Down Storage Account Access<\/h2>\n\n\n\n
By default, Storage Accounts allow public network access. To ensure that traffic only flows through the Application Gateway, you\u2019ll need to lock down the Storage Account\u2019s network access.<\/p>\n\n\n\n
- \n
- Navigate to the Storage Account you\u2019ve configured.<\/li>\n\n\n\n
- Go to the\u00a0Networking<\/strong>\u00a0blade.<\/li>\n\n\n\n
- Under\u00a0Public Network Access<\/strong>, select\u00a0Enabled from selected virtual networks and IP addresses<\/strong>.<\/li>\n\n\n\n
- Add your Application Gateway\u2019s subnet under the\u00a0Virtual Networks<\/strong>\u00a0section, and also add any specific IP addresses if needed.<\/li>\n\n\n\n
- This setting ensures that only traffic routed through the Application Gateway (and the configured IPs<\/em>) can reach your Storage Account.<\/li>\n<\/ol>\n\n\n\n
To manage the Storage Account using the Azure portal (e.g., via the Storage Browser), you need to whitelist your public IP address.<\/p>\n\n\n\n
Example configuration of Storage Account, showing it locked down to the Application Gateway and my own client IP only.<\/figcaption><\/figure>\n\n\n\n Step 5 \u2013 Final Security Check<\/h2>\n\n\n\n
Ensure that the Storage Account\u2019s direct URL (
yourstorageaccount.blob.core.windows.net<\/code>) is not accessible from any public IP. Only traffic coming through the Application Gateway should be able to access it.<\/p>\n\n\n\nYou can test this by trying to access the Storage Account URL directly from a machine not in the allowed IP address range or virtual network. The request should be denied, confirming that your security settings are working as intended.<\/p>\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n
At this point, all going well you will have a fully secured Application Gateway fronting your Storage Account, which is configured to ensure End-to-End Encryption and which is configured to be as cost effective as possible.<\/p>\n","protected":false},"excerpt":{"rendered":"
Prerequisites You\u2019ll need the following in-place already. Step 1 \u2013 Create the Application Gateway Here\u2019s how to configure the Application Gateway to use a custom domain and establish HTTPS communication with the Storage Account. Create the Application Gateway There\u2019s quite a bit we need to do here, so let\u2019s break it down to make sure […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,35],"tags":[],"class_list":["post-3529","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud-computing"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3529"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3529\/revisions"}],"predecessor-version":[{"id":3530,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3529\/revisions\/3530"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Under\u00a0Public Network Access<\/strong>, select\u00a0Enabled from selected virtual networks and IP addresses<\/strong>.<\/li>\n\n\n\n
- Select\u00a0HTTPS<\/strong>\u00a0as the\u00a0Backend protocol<\/strong>\u00a0to ensure End-to-End Encryption.<\/li>\n\n\n\n
- Select\u00a0Add new<\/strong>\u00a0and create a new\u00a0Backend Setting<\/strong>, ensuring you follow the steps outlined in the \u201cAdd a Backend Setting<\/strong>\u201d section below.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Select the\u00a0Backend target<\/strong>\u00a0you created earlier.<\/li>\n\n\n\n
- Select\u00a0HTTPS\u00a0<\/strong>as the\u00a0Frontend IP Protocol\u00a0<\/strong>to ensure end-to-end encryption.<\/li>\n\n\n\n
- Configure the Listener, which \u201clistens\u201d for traffic on a given port and IP address and which we\u2019ll use to redirect traffic from the App Gateway to the Storage Account.\n
- Navigate to the\u00a0Configuration<\/strong>\u00a0stage and select\u00a0Add a routing rule<\/strong>.<\/li>\n<\/ol>\n\n\n\n