DEV Community

Cover image for Protect Your SignalR Service Based Real-time Application with Application Gateway
Yan Jin for Microsoft Azure

Posted on

Protect Your SignalR Service Based Real-time Application with Application Gateway

By using the Azure Private Endpoint for your Azure SignalR, it allows clients on a virtual network (VNet) to securely access data over a Private Link. As next step, let’s learn how to use the Azure Application Gateway for your Azure SignalR to manage the real-time traffic.

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Using the Azure Application Gateway with Azure SignalR Service enables you to:

  • Protect your applications from common web vulnerabilities.
  • Get application-level load-balancing for your scalable and highly available applications.
  • Setup end to end secure.
  • Customize the domain name.

Let’s go through the key steps together and learn how to implement this reference solution:

  1. The Application Gateway helps you protect your applications and setup end to end secure.
  2. The client cannot access the Azure SignalR Service instance through public network, and all the traffic is managed through Application Gateway.
  3. The traffic between App Service and SignalR Service is also protected by Virtual Network. High level digram

Setup the Virtual Network

  1. Create the Virtual Network VN1.
  2. There is a default subnet already created, and add 2 new subnets:

Setup SignalR Service

  1. Create the resource of Azure SignalR Service ASRS1.
  2. Go to the ASRS1 in the portal.
  3. Go to the Private endpoint connections blade, and create a new private endpoint PE1 with the VN1 and its default subnet. Learn more details about use private endpoint for Azure SignalR Service.
    • Resource
    • Resource Type: Microsoft.SignalRService/SignalR
    • Resource: ASRS1 SignalR Service Resource
    • Configuration
    • Integration with private DNS zone: Yes
    • Subnet: default subnet in VN1 SignalR Service Configuration
  4. Go to the network access control blade of ASRS1 and disable the all connections in public network.

Setup the Application Gateway

  1. Create the Application Gateway AG1
  2. In the Basic, use the VN1 and gatewaySN to configure the virtual network. Application Gateway - Basic
  3. In the Frontends, create a new public address. Application Gateway - Frontends
  4. In the Backends, create a new backend pool signalr for the SignalR Service resource. You need to use the host name of the SignalR Service resource as the Target. Application Gateway - Backends
  5. In the Configuration, add a new routing rule signalrrule to route the traffic to SignalR Service. You need to create a new HTTP setting.
    • Listener
    • Protocol: HTTP (We use the HTTP frontend protocol on Application Gateway in this blog to simplify the demo and help you get started easier. But in reality, you may need to enable HTTPs and Customer Domain on it with production scenario.) Application Gateway - Listener
    • Backend targets
    • Target type: Backend pool
    • Add new HTTP setting
      • Backend protocol: HTTPs
      • Use well known CA certificate: Yes
      • Override with new host name: Yes
      • Host name override: Pick host name from backend target. Application Gateway - Backend
  6. Review and create the AG1 Application Gateway - Create

Now, we already setup the Virtual Network, SignalR Service and Application Gateway. Let’s quick test whether the configuration is correct.

  • Go to the network access control blade of ASRS1 and set public network to allow server connection only. Configuration Test
  • Go to AG1, open health probe, change the health probe path to /api/v1/health Configuration Test
  • Go to the Overview blade of AG1, and find out the Frontend public IP address
  • Open http://frontend-public-IP-address, and it should return 403.
  • Open http://frontend-public-IP-address/api/v1/health, and it should return 200.
  • Go back to the network access control blade of ASRS1 and disable the server connection in public network.

Run a Chat Application Locally

Now, the traffic to Azure SignalR is already managed by the Application gateway. The customer could only use the public IP address or custom domain name to access the resource. In this blog, let’s use the chat application as an example, and start from running it locally.

  1. Clone the github repo
  2. Go to the Keys blade of ASRS1 and get the connection string
  3. Go to samples/Chatroom and open the shell
  4. Set the connection string and run the application locally
dotnet restore 
dotnet user-secrets set Azure:SignalR:ConnectionString "<connection-string-of-ASR1>;ClientEndpoint=http://< frontend-public-IP-address-of-AG1>" 
dotnet run 
Enter fullscreen mode Exit fullscreen mode
  1. Open http://localhost:5000 and view network traces via explorer to see WebSocket connection is established through AG1  Run Test

Deploy the Chat Application to Azure

  1. Create a Web App WA1.
    • Publish: Code
    • Runtime stack: .NET Core 3.1
    • Operation System: Windows
  2. Go to Networking blade and configure the VNET integration.
  3. Select VN1 and webapp subnet applicationSN
  4. Publish the Web App with CLI
    • Publishe the application and its dependencies to a folder for deployment
dotnet publish -c Release 
Enter fullscreen mode Exit fullscreen mode
  • Package the bin\Release\netcoreapp3.1\publish folder as
  • Perform deployment using the kudu zip push deployment.
az login  
az account set –subscription <your-subscription-name-used-to-create-WA1> 
az webapp deployment source config-zip -n WA1 -g <resource-group-of-WA1> --src 
Enter fullscreen mode Exit fullscreen mode
  1. Go to the Configuration blade of WA1, and add following application setting to set connection string and enable private DNS zone.
Azure__SignalR__ConnectionString=<connection-string-of-ASR1>;ClientEndpoint=http://< frontend-public-IP-address-of-AG1> 
Enter fullscreen mode Exit fullscreen mode
  1. Go to the TLS/SSL settings blade of WA1, and turn off the HTTPS Only. To Simplify the demo, we used the HTTP frontend protocol on Application Gateway. Therefore, we need to turn off this option to avoid changing the HTTP URL to HTTPs automatically.
  2. Go to the Overview blade and get the URL of WA1.
  3. Open the URL by replacing the https with http, and open network traces to see WebSocket connection is established through AG1.

Next Steps

Now, you are successful to build a real-time chatroom application with Azure SignalR Service and use Application Gateway to protect your applications and setup end to end secure.

If you are trying to build your own application with Azure SignalR and Application Gateway, you could also get more helpful resources from the Azure SignalR Service and Azure Application Gateway. We are looking forward your feedback and ideas to help us become better via Azure Feedback Forum! You could also go to Tech Community to learn more blogs about Azure SignalR Service.

Top comments (10)

jayendran profile image
Jayendran Arumugam • Edited

Now this completed the final missing part of azure signalr security :) Nice article @yjin81

This article will also be a great supplement to my recent series

Question: How to enforce the signalr to allow traffic only from app gateway ? in other words If some one directly tried to connect like how can we restrict that ?

yjin81 profile image
Yan Jin

If you already use the private endpoint, you could control the network access easily with the "Network access control" blade in portal. Here are some useful reference docs:


jayendran profile image
Jayendran Arumugam • Edited

thanks will look into that , While I following this article during the configuration of app gateway, on setting up the probe i got the issue like below

Unhealthy logs

Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to the server. Check if application is running on correct port. To learn more visit -

Any idea how to fix it ? Without fixing this i cannot move forward

P.S All the other configuration in app gateway i can able to complete as per the blog.

Thread Thread
yjin81 profile image
Yan Jin

It seems that this SignalR instance is not accessible in your scenario. Would you please try these potential actions to narrow down this issue?

  1. Which region are you using right now? Would you please share the resource ID of the SignalR instance with me for further investigation?
  2. Would you please grant the public permission of this SignalR instance and test whether it is in good shape?
  3. Could you please enable the diagnostic logs to learn what happens with the health probe?
Thread Thread
jayendran profile image
Jayendran Arumugam

Is there a way can i share my resource to your privately ? like email /chat ?

Thread Thread
yjin81 profile image
Yan Jin

You could send email to me with

Thread Thread
missympt profile image

Was the cause for this issue ever found? Same happening with me.
Thank you

Thread Thread
jayendran profile image
Jayendran Arumugam

@missympt I just deleted my private end point and re-created that which solved my issue.

bluechiperic profile image
Eric Grover

Trying to figure out what benefit this provides. None of the WAF rules will be applied to your WebSocket connection (they are all for HTTP traffic). What benefit is the App Gateway actually providing for your SignalR connections?

bluechiperic profile image
Eric Grover

You could use the private link to secure the connectivity between your web app and the SRS, but what actual value is the App Gateway providing your websocket traffic?