Applies to: Nerdio Manager for MSP (NMM)
- Decide on URL
- The application gateway should be associated with a new URL/domain that can be directed to the gateway. e.g. nmm.contoso.com
- Obtain SSL certificate
- For secure HTTPS connections, you will need an SSL cert in PFX format to install on the gateway. The CN of the certificate should correspond to the domain you chose above.
- Public or Private
- Decide whether the gateway will be accessible from the public internet, or restricted to your Azure network
Assigning a Custom Domain and SSL certificate to your App Service
Before creating the application gateway, please follow the instructions here for assigning your custom domain and SSL to your app service instance. Use the same URL that you will use for the application gateway. Then return here to proceed with creating the Application Gateway.
Creating the Application Gateway
To begin, sign in to the Azure Portal and search for or navigate to Application Gateways. Create a new application gateway:
The Application Gateway requires an empty subnet. Create a new one or select an existing empty subnet.
Click Next: Frontends to proceed.
For Frontend IP address type, if you want NMM to be accessible from outside your network, select Public. Create a new Public IP or select an existing one. To restrict access to your private vnet, select Private:
Proceed to Backends. Create a backend pool with your NMM app service as the target:
Click Next: Configuration
Click Add a Routing Rule
For routes, we will create two listeners, one for HTTP and one for HTTPS.
Select your backend pool as the target. For HTTP settings, click Add new
Set Override with new host name to Yes, and override with the domain you chose earlier. Set Create custom probes to No.
Add HTTPS route
Add another routing rule for HTTPS. For the HTTPS route, you will need to supply the certificate that the gateway will use for HTTPS connections. The CN of this certificate should match the URL you are going to use to access NMM:
Add another HTTP setting for https
If you got your SSL certificate that is installed on the app service from a known Certificate Authority, click Yes for Use well known CA certificate. Otherwise, supply a CER file for the app service's public certificate.
Again set Override with new host name to Yes, and override with the domain you chose earlier. Set Create custom probes to No. Click Add to add the http setting and again to add the route:
Apply any tags you wish to associate with the gateway:
Click Next: Review and Create
As part of configuring your app service to work with the new domain and SSL, you created a CNAME record pointing to the app service's DNS name. Change that record to point to the Application Gateway's DNS name. If you have not done so yet, you can create the gateway's DNS name by selecting the Public IP and editing the DNS name:
Test by opening your URL in a browser. You should be asked to authenticate and then taken to the NMM site.
Restrict Network Access
By default, your app service will remain available at its URL. Accessing it this way will bypass the Application Gateway. You may wish to restrict access to the gateway's ip address.
By default, the Web Application Firewall is in detection mode, meaning it will not block requests but will detect suspicious activity. However, the WAF requires further configuration in order to log or block this activity. Learn more about Configuring the WAF here.