Skip to main content

Cloud Builder and private Application Gateway

When you use ArcGIS Enterprise Cloud Builder for Microsoft Azure and a private IP for the Microsoft Application Gateway, Cloud Builder modifies the Application Gateway to use an internal-only entry point. This restricts access to internal networks and requires specific routing and certificate configurations.

Read the Microsoft Azure documentation for information about private Application Gateways.

Application Gateway Network Isolation

The deployment behavior of the Application Gateway depends on the status of the EnableApplicationGatewayNetworkIsolation preview feature.

  • When the EnableApplicationGatewayNetworkIsolation feature is enabled, the Application Gateway will not deploy a public IP. Additionally, the Application Gateway subnet must be delegated to Microsoft.Network/applicationGateways.

  • When the EnableApplicationGatewayNetworkIsolation feature is disabled, the deployment uses a public IP for the Application Gateway, but it will remain unused due to the internal-only routing configuration.

Configuration requirements

To deploy using a private IP, you must meet the following infrastructure and security requirements:

  • The IP address that you specify IP must be a static private IP located in the designated Application Gateway subnet.

  • You must provide a Certificate Authority (CA)-issued SSL or TLS certificate.

  • You must supply the DNS name represented by the CA-issued certificate.

Important:

The ArcGIS Enterprise deployment will use the provided DNS name as the primary deployment endpoint rather than the raw IP address.

Client access and DNS resolution

Clients must access the ArcGIS Enterprise portal using the designated hostname (for example, portal.example.internal or gis.example.com).

To ensure connectivity, this hostname must resolve internally to the Application Gateway's private IP address. This resolution must be valid across all connected internal network resources, including the following:

  • The primary Virtual Network (VNet)

  • Peered VNets

  • On-premises corporate networks

  • VPN or ExpressRoute connections

Example architecture pattern

The following is an example of a standard internal routing configuration:

  • Application Gateway frontend—Configured with a static private IP address such as 10.0.2.10

  • Certificate (CN/SAN)—Bound to the hostname, such as portal.example.internal

  • Internal DNS—A record routes portal.example.internal to 10.0.2.10