Exploring Private DNS + Azure Application Gateway for Secure Web Apps - Marcin Gastol
15813
post-template-default,single,single-post,postid-15813,single-format-standard,bridge-core-3.0.7,bridge,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode-child-theme-ver-1.0.0,qode-theme-ver-29.4,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-6.10.0,vc_responsive

30 Jan Exploring Private DNS + Azure Application Gateway for Secure Web Apps

Posted at 05:58h in Azure, Uncategorized by
0 Likes

Intro

Organizations increasingly run applications that should never be exposed directly to the public internet—internal line-of-business portals, partner applications, healthcare systems, and hybrid workloads connected through VPN or ExpressRoute. While Azure Application Gateway is commonly used for internet-facing traffic, it also serves as a powerful entry point for private application architectures.

In this article, we’ll walk through configuring an internal Azure Application Gateway behind Azure Private DNS, creating a secure application delivery pattern that keeps traffic private while still enabling clean custom-domain experiences and centralized routing.

We’ll also look at how PowerShell can automate deployment and ongoing operational tasks.

Why combine Private DNS and Application Gateway?

Azure Application Gateway provides:

  • Layer 7 load balancing
  • SSL/TLS termination
  • Web Application Firewall (WAF)
  • Path-based routing
  • Session affinity
  • Backend health monitoring

Azure Private DNS complements these capabilities by enabling:

  • Internal-only name resolution
  • Consistent DNS naming across VNets
  • Hybrid DNS integration
  • Simplified application discovery

Together they create a pattern where:

  • Applications remain inaccessible from the public internet
  • Internal users use friendly names (portal.contoso.internal)
  • Hybrid users can resolve and access services through VPN/ExpressRoute
  • Routing and security policies are centralized

Application Gateway supports DNS-based backend resolution and can integrate with private networking scenarios through Azure DNS and custom DNS configurations.

Deployment Scenario

Let’s assume:

ResourceValue
Resource Grouprg-internalapps
VNetcorp-vnet
Application Gateway subnetappgw-subnet
Backend subnetapp-subnet
Private DNS Zonecontoso.internal
Internal applicationportal.contoso.internal

Create networking components

Begin by creating the required networking resources.

PowerShell
$resourceGroup="rg-internalapps"
$location="EastUS"

New-AzResourceGroup `
    -Name $resourceGroup `
    -Location $location

$vnet = New-AzVirtualNetwork `
    -Name corp-vnet `
    -ResourceGroupName $resourceGroup `
    -Location $location `
    -AddressPrefix "10.10.0.0/16"

Add-AzVirtualNetworkSubnetConfig `
    -Name appgw-subnet `
    -AddressPrefix "10.10.1.0/24" `
    -VirtualNetwork $vnet

Add-AzVirtualNetworkSubnetConfig `
    -Name app-subnet `
    -AddressPrefix "10.10.2.0/24" `
    -VirtualNetwork $vnet

$vnet | Set-AzVirtualNetwork

Create a Private DNS zone

PowerShell
$dnsZone = New-AzPrivateDnsZone `
    -Name "contoso.internal" `
    -ResourceGroupName $resourceGroup

New-AzPrivateDnsVirtualNetworkLink `
    -ResourceGroupName $resourceGroup `
    -ZoneName "contoso.internal" `
    -Name "corp-link" `
    -VirtualNetworkId $vnet.Id

The VNet link allows virtual machines and services inside the network to resolve private DNS records.

Private DNS zones support centralized internal name resolution while VNet links enable DNS visibility across networks.

Deploy an internal Application Gateway

Next, create an Application Gateway with only a private frontend.

PowerShell
$appGwSubnet = Get-AzVirtualNetworkSubnetConfig `
    -Name "appgw-subnet" `
    -VirtualNetwork $vnet

$gatewayIP = New-AzApplicationGatewayFrontendIPConfig `
    -Name "PrivateFrontend" `
    -PrivateIPAddress "10.10.1.10" `
    -Subnet $appGwSubnet

$pool = New-AzApplicationGatewayBackendAddressPool `
    -Name "BackendPool"

$listener = New-AzApplicationGatewayHttpListener `
    -Name "PortalListener" `
    -Protocol Https `
    -FrontendIPConfiguration $gatewayIP `
    -FrontendPort 443

$appGw = New-AzApplicationGateway `
    -Name "internal-appgw" `
    -ResourceGroupName $resourceGroup `
    -Location $location `
    -BackendAddressPools $pool `
    -HttpListeners $listener `
    -Sku Standard_v2

Associate a custom internal domain

Create an A record inside the Private DNS zone:






PowerShell
New-AzPrivateDnsRecordSet `
   -Name "portal" `
   -RecordType A `
   -ZoneName "contoso.internal" `
   -ResourceGroupName $resourceGroup `
   -Ttl 3600 `
   -PrivateDnsRecords (
      New-AzPrivateDnsRecordConfig `
      -IPv4Address "10.10.1.10"
   )










Clients can now access:





https://portal.contoso.internal





instead of remembering private IP addresses.




















Wrapping it all up










Internal and hybrid applications often require the same user experience as public applications without exposing workloads to unnecessary risk. Combining Azure Application Gateway with Azure Private DNS creates a clean architecture where internal services retain friendly naming, centralized routing, and strong security boundaries.





PowerShell further simplifies deployment and day-two operations by turning repetitive networking tasks into reusable automation.





As organizations continue adopting hybrid architectures, this pattern provides a scalable foundation for secure application delivery.






















Azure 101. Exploring the Azure Portal and Key Services


















					

				

			

		
			

            

				
Tags:

				 			

		

	    	
													


No Comments





 

	

 

 

		

		
Post A Comment
 








 


	

	
						                        


                    					

                                 

	


				

					

				
	






	
		






















































































































Verified by MonsterInsights