Use Nerdio Manager with an Application Gateway and Web Application Firewall

Use Nerdio Manager with an Application Gateway and Web Application Firewall

Prerequisites:

  • Decide on a URL: The application gateway should be associated with a new URL/domain that can be directed to the gateway. For example, nmm.contoso.com.

  • Obtain an SSL certificate: For secure HTTPS connections, you need an SSL certificate in PFX format to install on the gateway. The CN of the certificate should correspond to the domain you chose above.

  • Public or Private: Decide whether the gateway is accessible from the public internet, or restricted to your Azure network.

Assign a Custom Domain and SSL Certificate to your App Service

Before creating the application gateway, you must assign your custom domain and SSL to your Nerdio Manager app service instance. See How to Customize the Nerdio Manager URL for detailed instructions.

Note: Use the same URL that you will use for the application gateway.

Once you have assigned your custom domain and SSL to Nerdio Manager, you can proceed with creating the Application Gateway.

Create the Application Gateway

This procedure discusses how to create the application gateway.

To create the application gateway:

  1. In the Azure portal, navigate to Application gateways.

  2. Select + Create.

  3. Enter the required information to create an application gateway.

    Note: The application gateway requires an empty subnet. Create a new one or select an existing empty subnet.

  4. Once you have entered the desired information, select Next: Frontends.

  5. Enter the required information:

    • Frontend IP address type: Select the desired type.

      Note: If you want Nerdio Manager to be accessible from outside your network, select Public. Create a new Public IP or select an existing one. To restrict access to your private VNet, select Private.

    • Public IP address: For public address types, from the drop-down list, select the public IP address.

  6. Once you have entered the desired information, select Next: Backends.

  7. Create the backend pool with your Nerdio Manager app service as the target.

  8. Select Add and then select Next: Configuration.

  9. Select Add a Routing Rule.

  10. Create two listeners-- one for HTTP and for HTTPS.

  11. For the HTTP settings, select your backend pool as the target.

  12. Set the Override with new host name to Yes, and override with the domain you chose earlier.

  13. Set Create custom probes to No and then select Add.

    Note: You must add another routing rule for HTTPS. For the HTTPS route, you need to supply the certificate that the gateway uses for HTTPS connections. The CN of this certificate should match the URL you are going to use to access Nerdio Manager.

  14. Add another HTTP setting for HTTPS.

    Note: If you got your SSL certificate that is installed on the app service from a known Certificate Authority, select Yes for Use well known CA certificate. Otherwise, supply a CER file for the app service's public certificate.

  15. Set the Override with new host name to Yes, and override with the domain you chose earlier.

  16. Set Create custom probes to No.

  17. Select Add.

  18. Select Next: Tags.

  19. Apply any tags you wish to associate with the gateway.

  20. Select Next: Review and Create.

  21. Review the information and select Create.

CNAME Record

As part of configuring your app service to work with the new domain and SSL, you created a CNAME record pointing to the app service's DNS name. Change that record to point to the Application Gateway's DNS name. If you have not done so yet, you can create the gateway's DNS name by selecting the Public IP and editing the DNS name.

Test the Configuration

Test the configuration by opening your URL in a browser. You should be asked to authenticate and then taken to the Nerdio Manager site.

Restrict Network Access

By default, your app service remains available at its URL. Accessing it this way bypasses the Application Gateway. You may wish to restrict access to the gateway's IP address. See this Microsoft document for details.

Web Application Firewall (WAF)

By default, the Web Application Firewall is in detection mode, meaning it does not block requests but detects suspicious activity. However, the WAF requires further configuration in order to log or block this activity. See this Microsoft document for details.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.