Add support for Azure Network Security Group Inbound rules to the Azure Application Gateway
• In Azure, we CANNOT apply inbound NSG rule with destination public IP of APPGW to allow/block traffic to this APPGW. We known This is by design:
Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.
• Even for VM level public IP, we cannot allow/block traffic via inbound subnet level NSG with that destination public IP
• The workaround I can think of is to deploy each gateway to dedicated subnet then apply inbound subnet level NSG with destination IP “Any”, as APPGW instance’s private IP is invisible for customer