Submit a request

Nerdio Help Center

Using NMM with an Application Gateway and Web Application Firewall


Applies to: Nerdio Manager for MSP (NMM)


Prerequisites:

  1. Decide on URL
    • The application gateway should be associated with a new URL/domain that can be directed to the gateway. e.g. nmm.contoso.com
  2. Obtain SSL certificate
    • For secure HTTPS connections, you will need an SSL cert in PFX format to install on the gateway. The CN of the certificate should correspond to the domain you chose above.
  3. Public or Private
    • Decide whether the gateway will be accessible from the public internet, or restricted to your Azure network

 

Assigning a Custom Domain and SSL certificate to your App Service

Before creating the application gateway, please follow the instructions here for assigning your custom domain and SSL to your app service instance. Use the same URL that you will use for the application gateway. Then return here to proceed with creating the Application Gateway.

 

Creating the Application Gateway

To begin, sign in to the Azure Portal and search for or navigate to Application Gateways. Create a new application gateway.

 

mceclip2.png

 

 

The Application Gateway requires an empty subnet. Create a new one or select an existing empty subnet.

Click Next: Frontends to proceed.

For Frontend IP address type, if you want NMM to be accessible from outside your network, select Public. Create a new Public IP or select an existing one. To restrict access to your private vnet, select Private.

 

 

mceclip3.png

 

 

 

Proceed to Backends. Create a backend pool with your NMM app service as the target.

 

mceclip4.png

Click Add

Click Next: Configuration

Click Add a Routing Rule

For routes, we will create two listeners, one for HTTP and one for HTTPS.

 

mceclip5.png

mceclip8.png

 

Select your backend pool as the target. For HTTP settings, click Add new

mceclip0.png

Set Override with new host name to Yes, and override with the domain you chose earlier. Set Create custom probes to No.

 

Add HTTPS route

Add another routing rule for HTTPS. For the HTTPS route, you will need to supply the certificate that the gateway will use for HTTPS connections. The CN of this certificate should match the URL you are going to use to access NMM.

 

mceclip6.png

mceclip9.png

 

Add another HTTP setting for https.

 

mceclip2.png

If you got your SSL certificate that is installed on the app service from a known Certificate Authority, click Yes for Use well known CA certificate. Otherwise, supply a CER file for the app service's public certificate.

 

Again set Override with new host name to Yes, and override with the domain you chose earlier. Set Create custom probes to No. Click Add to add the http setting and again to add the route.

 

Click Next:Tags

Apply any tags you wish to associate with the gateway.

 

Click Next: Review and Create

mceclip7.png

Click Create

 

 

CNAME Record

As part of configuring your app service to work with the new domain and SSL, you created a CNAME record pointing to the app service's DNS name. Change that record to point to the Application Gateway's DNS name. If you have not done so yet, you can create the gateway's DNS name by selecting the Public IP and editing the DNS name

mceclip10.png

 

 

Test

Test by opening your URL in a browser. You should be asked to authenticate and then taken to the NMM site.

 

Restrict Network Access

By default, your app service will remain available at its URL. Accessing it this way will bypass the Application Gateway. You may wish to restrict access to the gateway's ip address.

 

WAF

By default, the Web Application Firewall is in detection mode, meaning it will not block requests but will detect suspicious activity. However, the WAF requires further configuration in order to log or block this activity. Learn more about Configuring the WAF here.

Was this article helpful?
0 out of 0 found this helpful

Comments

Article is closed for comments.