A couple of months ago, amidst a customer case, I found myself deep-diving into the Microsoft Private Application Gateway V2. As a software architect, every day presents a blend of strategy, design, and a relentless quest for technologies that have the potential to redefine our projects.
For that specific customer case, I found myself at a significant decision-making juncture. The primary task was to manage our connections both securely and efficiently. Anyone familiar with the intricacies of SSL setup would empathize with the challenges I encountered. It was like piecing together a jigsaw puzzle, where the importance of each piece cannot be overstated. The conventional methods seemed almost outdated in their approach. It was then that I discovered the Private Application Gateway V2. Its revolutionary feature of direct SSL support from the Key Vault transformed tasks, which previously took hours, into ones that could be accomplished in mere minutes. This efficiency allowed me to redirect my focus to more expansive architectural strategies.
Another notable attribute of the V2 was its inbuilt Managed Identity platform. During interactions with fellow software engineers, I often came across narratives about the convolutions of identity management in large-scale applications. With the Managed Identity platform, the once-tedious journey through this domain now had direction.
However, I believe the essence of an application isn’t just in its functionality, but also in its communication prowess. This is where networking comes into play. The enhanced capabilities of the V2 gateway, encompassing the setup of private listeners to the configuration of backend pools, were a manifestation of meticulous engineering. This provided the leverage to fine-tune every data exchange, ensuring fluidity and security.
Transitioning to V2 did come with its challenges. The plethora of new features, even for someone with my extensive background, initially seemed like a steep learning curve. But isn’t overcoming such challenges the essence of growth? Delving into the unfamiliar, adapting, and emerging with newfound knowledge is a journey in itself.
Now, addressing the burning question: Why the inclination towards a private version of the application gateway? Our reasoning was rooted in the architectural principle of ‘assume breach’. In today’s unpredictable digital environment, an exit strategy is crucial, whether it’s due to non-accessible on-premise services or a shifting express route. The Private Application Gateway shines in this scenario, providing a singular point for both ingress and egress traffic. This only scratches the surface. It’s a gateway, quite literally, to advanced network strategies, some of which I’ll discuss in upcoming blog posts.
Furthermore, it’s not just about network segmentation and zone transitions. The alignment with the OWASP 3.2 model on a Web Application Firewall (WAF) version 2 plays a central role. It acts as a robust gatekeeper, ensuring every inbound traffic adheres to the gold standard for API traffic. By operating in prevention mode, it not only fortifies our defenses but also provides meticulous logs of any deviations.
Security-wise, the Application Gateway offers mutual Authentication (mTLS), ensuring a two-way authentication process, adding another layer to our defenses. Its zone redundancy capability ensures operational continuity, even in the face of isolated failures. Furthermore, its ability to operate our Azure Service in private link modes proves indispensable, especially for services lacking virtual network integration but requiring communication with the on-premise environment.
As of the 6th of April 2023, the veil over the Application Gateway V21 has been lifted, making it accessible to a broader audience. This shift is not just an announcement of its availability, but a testament to its robustness and the pivotal role it’s poised to play in the tech arena2.
- The Private Application Gateway is currently in public preview. To avail of this feature, one needs to register the preview feature “EnableApplicationGatewayNetworkIsolation” within the Azure Portal. โฉ๏ธ
- For those interested in deploying a private application gateway version, I’ve shared the source code in both Bicep and ARM module formats on my GitHub repository. Do check it out for a deeper dive into the implementation. โฉ๏ธ