Application gateway support multi-site listening on Private and Public Frontend IPs
Currently the web application firewall can be configured with multiple Frontend IPs, such as Public & Private. However, multi-site listeners cannot be configured on standard web ports (80 & 443) on both frontend IPs. No port overlap is allowed. User must decide which of the two frontend IPs gets to listen on standard web ports, and the other must be configured on alternate ports. This is not usable for non-technical end users, and many of us require both public and private frontend IPs to support internal-only sites (such as a company intranet) in addition to customer-facing ones.
Kozak, Daniel commented
Joakim Borgström commented
I also just came across this problem. We have an express route to our company network for internal traffic. Would be nice to not have to setup two identical Application Gateways (one for public use and one for internal use) just because this seemingly arbitrary limitation.
Andrew Lloyd commented
Concur with David Parsons comments that it seems flawed that you can't bind standard 80 and 443 to 2 separate IP addresses (public and private). This would seem to be missing in any documentation I have seen.
david parsons commented
Just came across this problem myself when trying to use the AppGW for internet and Intranet (from VNET). This really should be a must have for an AppGW and WAF.
it seems a strange limitation when it gives you the option to use both Public and Private IP and doesn't mention you cant use the same ports apart from the error you get when setting up a listener.
it would be nice as in interim to put a message on the config page to state the ports cant be shared between public and private IP's.
Didn't see this in the documentation.
Ken Leach commented
I agree. Often companies what to keep traffic private to and from Azure using Express Routes of VPNs. To have a public listener is fine for internet users, but to force people on the company infrastructure to go to the internet and back down changes the required network traffic pattern. A private IP listening on the same port at the public would solve this.. vs having to use 8080 or something. Is there a work around for this issue?