Azure VMware Solution (AVS) is a VMware validated private cloud solution managed and maintained by Azure. It runs on dedicated bare-metal Azure infrastructure. AVS allows customers to manage and secure applications across VMware environments and Microsoft Azure with a consistent operating framework. It supports workload migration, VM deployment, and Azure service consumption 

As AVS private cloud runs on an isolated Azure environment, it is not accessible from Azure or the Internet by default. Users can use either ExpressRoute Global Reach (i.e., from on-prem) or a jump box (i.e., on an Azure VNet) to access AVS private cloud. This means AVS workload VMs are confined within AVS private cloud and not accessible from the Internet 

But what if customers want to make AVS Private Cloud resources, such as web servers, accessible from the Internet? In that case, Public IP needs to be deployed. There are couple of ways to do this: (1) Azure Application Gateway, and (2) Destination NAT or DNAT using Azure WAN Hub and Firewall. Azure Application Gateway is the recommended way to publish AVS private cloud resources (e.g., web servers). This article outlines how to publish AVS private cloud resources on the Internet via Azure Application Getaway. 

Azure Application Gateway is a Layer 7 load balancer which enables traffic management for web applications. Application Gateway offers advanced capabilities such as cookie-based session affinity, URL-based routing, and Web Application Firewall (WAF). To learn more about Application Gateway features and capabilitiescheck this link.  

What are some of the benefits of Application Gateway for AVS Private Cloud? Application Gateway: 

  • is a managed service with built in scale and redundancy. 
  • offers an on-demand/pay-as-you-go consumption model. 
  • ensures maximum throughput and minimum response time, and can cope with sudden traffic bursts. 
  • offers numerous advanced features, such as Web Application Firewall (WAF) with DDOS protection, autoscaling, zone redundancy, multi-site hosting support, URLbased routing, session affinity, and connection draining, SSL/TLS termination for AVS Private Cloud.

The following diagram demonstrates how Azure Application Gateway is used to protect and publish AVS private cloud resources as well as Azure VM scale sets and on-premises servers. 

The following architecture diagram illustrates an Application Gateway deployed on a secure Azure Virtual WAN hub and a web server farm hosted in the Azure VMware Solution environment and configured with a RFC1918 private IP address. The web servers are accessible from the Internet via Azure Application Gateway, configured with a public IP as frontend. Web servers running on the AVS private cloud are configured as backend pool.

When a user from the Internet tries to access the public IP of the Application Gateway on port 443, the application gateway sends this request to one of the web servers. The webserver processes the request and replies to the Application Gateway. Finally, the Application Gateway responds back to the user. As a result, webservers running on the AVS private cloud are now accessible from the Internet. Additionally, customers can enable Azure DDoS Protection Standard for added security.

Note: Typically, multiple backend pools are configured with multiple web servers in a single pool.

 The following sections provide details on deploying and configuring the Azure Application Gateway to make AVS private cloud resources accessible from the Internet.

Application Gateway is deployed on an Azure Virtual Network (VNet). VNet can be directly connected to AVS private cloud via ExpressRoute. VNet can also be connected to the Azure Virtual WAN Hub. A secure Virtual WAN Hub is deployed automatically once Public IP is enabled on the Azure VMware Private Cloud. Connectivity between AVS private cloud and Secure WAN Hub is enabled as well by ExpressRoute. This document uses Secure Virtual WAN Hub.


  • An Azure account with an active subscription
  • An Azure VMware Private Cloud deployed and running
  • Public IP enabled on the Azure VMware Private Cloud
  • An Azure VNet deployed and peered with Azure VMware Private Cloud Secure WAN Hub

Deployment and Configuration of Azure Application Gateway

Sign into the Azure portal and search for “Application gateway” to bring up the Application gateways menu. Then, click Add.

Add Application Gateway
  1. Provide basic details as shown below and then select Next: Frontends>.
    Create and Configure Application Gateway
  2. Choose Public as the frontend IP address type. Select an existing public IP or create a new one and then select Next: Backends>.
    Select an existing public IP or create a new one
  3. Click Add a backend pool to bring up the Add a backend pool menu.
    Add a backend pool
  4. Type backend pool name and Azure VMware Solution Private Cloud VM (i.e., Web Server) as backend target and click Add.
    Add Azure VMware Solution Private Cloud VM (i.e., Web Server) as backend target
  5. Click Next: Configuration and then select Add a routing rule.
    Add a routing rule
  6. Provide Rule name and listener name, Frontend IP, Protocol and Port. Then select Backend targets.
    Provide Rule name and listener name, Frontend IP, Protocol and Port
  7. Select an existing Backend Pool or create a new one. To add a new HTTP setting, select Add new
    Add a new HTTP setting
  8. Provide a name for the HTTP settings and then click Add.
    Name New HTTP Setting
  9. Click Add on the “Add a routing rule” window.
    Add a routing rule
  10. Click Next: Tags> and then Next: Review + create> to see if Validation passed. Click Create to deploy Application Gateway.
    Check if Validation Passed
  11. Click Next: Review + create>.
    Review and Create Application Gateway
  12. Click Create after validation is complete.
    Validation is Complete
  13. It takes some time to deploy Application Gateway. “Your deployment is complete” appears on the screen after successful completion of the Application Gateway.
    Your deployment is complete
  14. The final step is to test and verify by location the Frontend public IP address of the Application Gateway and test it from the browser
    Test and verify by location the Frontend public IP address of the Application Gateway

AVS Private cloud resource (i.e., webserver with an IP address of is now accessible from the Internet via public IP (i.e.,, which is the frontend IP address of the Application Gateway as demonstrated in the following diagram.

VS Private cloud resource is now accessible from the Internet via public IP


Azure Application Gateway is a highly-scalable Layer 7 load balancer that offers advanced capabilities — for example, cookie-based session affinity, URL-based routing, and Web Application Firewall (WAF). Azure Application Gateway is the recommended way to publish and protect AVS private cloud resources on the Internet. This article demonstrates how AVS private cloud resources can be accessible from the Internet by using Azure Application Gateway.