| title | titleSuffix | description | services | author | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|
Manage traffic to multi-tenant apps using the portal |
Azure Application Gateway |
This article provides guidance on how to configure Azure App service web apps as members in backend pool on an existing or new application gateway. |
application-gateway |
surajmb |
application-gateway |
how-to |
09/23/2020 |
victorh |
Since app service is a multi-tenant service instead of a dedicate deployment, it uses host header in the incoming request to resolve the request to the correct app service endpoint. Usually, the DNS name of the application, which in turn is the DNS name associated with the application gateway fronting the app service, is different from the domain name of the backend app service. Therefore, the host header in the original request received by the application gateway is not the same as the host name of the backend service. Because of this, unless the host header in the request from the application gateway to the backend is changed to the host name of the backend service, the multi-tenant backends are not able to resolve the request to the correct endpoint.
Application Gateway provides a switch called Pick host name from backend target which overrides the host header in the request with the host name of the back-end when the request is routed from the Application Gateway to the backend. This capability enables support for multi-tenant back ends such as Azure app service and API management.
In this article, you learn how to:
- Edit a backend pool and add an App Service to it
- Edit HTTP Settings with 'Pick Hostname' switch enabled
-
Application gateway: Create an application gateway without a backend pool target. For more information, see Quickstart: Direct web traffic with Azure Application Gateway - Azure portal
-
App service: If you don't have an existing App service, see App service documentation.
-
In the Azure portal, select your application gateway.
-
Under Backend pools, select the backend pool.
-
Under Target type, select App Services.
-
Under Target select your App Service.
:::image type="content" source="./media/configure-web-app-portal/backend-pool.png" alt-text="App service backend":::
[!NOTE] The dropdown only populates those app services which are in the same subscription as your Application Gateway. If you want to use an app service which is in a different subscription than the one in which the Application Gateway is, then instead of choosing App Services in the Targets dropdown, choose IP address or hostname option and enter the hostname (example. azurewebsites.net) of the app service.
-
Select Save.
-
Under HTTP Settings, select the existing HTTP setting.
-
Under Override with new host name, select Yes.
-
Under Host name override, select Pick host name from backend target.
-
Select Save.
:::image type="content" source="./media/configure-web-app-portal/http-settings.png" alt-text="Pick host name from backend http settings":::
When the app service sends a redirection response to the client to redirect to its relative path (For example, a redirect from contoso.azurewebsites.net/path1 to contoso.azurewebsites.net/path2), it uses the same hostname in the location header of its response as the one in the request it received from the application gateway. So the client will make the request directly to contoso.azurewebsites.net/path2 instead of going through the application gateway (contoso.com/path2). Bypassing the application gateway isn't desirable.
If in your use case, there are scenarios where the App service will need to send a redirection response to the client, perform the additional steps to rewrite the location header.
The web apps deployed in these examples use public IP addresses that can be accessed directly from the Internet. This helps with troubleshooting when you are learning about a new feature and trying new things. But if you intend to deploy a feature into production, you'll want to add more restrictions.
One way you can restrict access to your web apps is to use Azure App Service static IP restrictions. For example, you can restrict the web app so that it only receives traffic from the application gateway. Use the app service IP restriction feature to list the application gateway VIP as the only address with access.
To learn more about the App service and other multi-tenant support with application gateway, see multi-tenant service support with application gateway.