This is a valid request. We are looking to update more settings that will be sticky to a slot and we have added IP restrictions to that list.
We bought dedicated Application Gateways for each slot to get around all of the problems of going through a central Application Gateway/Web Application Firewall for all deployment environments. Well now we find out that IP Restrictions are not sticky to the deployment slots. Isn't this a fine mess? Please escalate this request as even throwing money at all the extra Gateways does not help us unless we open a gaping hole in security.
Application Gateway backend pools are not natively aware of an App Service's deployment slots. I have to get around this by, instead of targeting a backend pool to type "App Service", I need to target type "IP or FQDN" and then put in the "client-staging.azurewebsites.com" or "client-development.azurewebsites.com" values (if using the original example).
At the very least, make the backend pool App Service target aware of the deployment slots to select in the drop down list.
However, the original poster's (OP) request would be a complete solution: Have the Application Gateways be aware of app service deployment slot swaps so we don't need to manually fuss with App Gateways for slot swaps. App Gateways should be swap-aware.
We are planning to support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on AppGw
I am surprised this doesn't have more votes. The App Service Certificate terribly loses its value by not giving the front end direct access to use it.
Application Gateways not able to access the certificate from Azure Key Vault is a security problem because of the need to export a PFX.
It also greatly diminishes the value of the higher price of an Azure App Service Certificate (ASC). It is no more secure than going to any other CA at this point who can charge far less for a certificate of the same value.
Thank you for all the votes/feedback. We are unable to give an ETA in this public forum but please be assured this is one of our top priorities at the moment.
Glad to hear that this is being actively developed. It can't come soon enough.
This is a major blocker to implementing on Azure. We have 100's or 1000's of mini-sites with custom sub-domains to distinguish them. Application Gateway is not scalable - dead in the water.
This is very important. Since we need to use the App Service Certificate at the Application Gateway, we are forced to turn off auto-renew on the certificate and do it manually. This is a noticeable loss of value to the ASC offering. Allowing the Application Gateway to get the certificate from Azure Key Vault would maintain full functionality.
Yes, please make dynamic DNS native for the Azure DNS service