Merge pull request #228646 from jaesoni/same-port-preview

BCS2022 · web-flow · commit a6793bf80197 · 2023-02-27T08:15:18.000-08:00
Same port feature - preview release
diff --git a/articles/application-gateway/application-gateway-faq.yml b/articles/application-gateway/application-gateway-faq.yml
@@ -259,7 +259,8 @@ sections:
           Yes. See [restrict access to specific source IPs](./configuration-infrastructure.md#allow-access-to-a-few-source-ips).
           
       - question: Can I use the same port for both public-facing and private-facing listeners?
-        answer: No.
+        answer: |
+          Yes, you can use public-facing and private-facing listeners with the same port number to simultaneously support both public and private clients (feature in Preview). Note that if a Network Security Group (NSG) is associated with your application gateway's subnet, a specific Inbound rule may be needed depending on its configuration. [Know more](./configuration-listeners.md#frontend-port).
 
       - question: Does Application Gateway support IPv6?
         answer: Application Gateway v2 doesn't currently support IPv6. It can operate in a dual stack VNet using only IPv4, but the gateway subnet must be IPv4-only. Application Gateway v1 doesn't support dual stack VNets. 
diff --git a/articles/application-gateway/configuration-frontend-ip.md b/articles/application-gateway/configuration-frontend-ip.md
@@ -5,7 +5,7 @@ services: application-gateway
 author: greg-lindsay
 ms.service: application-gateway
 ms.topic: conceptual
-ms.date: 09/09/2020
+ms.date: 02/26/2023
 ms.author: greglin
 ---
 
@@ -33,6 +33,17 @@ Only one public IP address and one private IP address is supported. You choose t
 
 A frontend IP address is associated to a *listener*, which checks for incoming requests on the frontend IP.
 
+>[!NOTE] 
+> You can create private and public listeners with the same port number (Preview feature). However, be aware of any Network Security Group (NSG) associated with the application gateway subnet. Depending on your NSG's configuration, you may need an inbound rule with **Destination IP addresses** as your application gateway's public and private frontend IPs.
+> 
+> **Inbound Rule**:
+> - Source: (as per your requirement)
+> - Destination IP addresses: Public and Private frontend IPs of your application gateway.
+> - Destination Port: (as per listener configuration)
+> - Protocol: TCP
+> 
+> **Outbound Rule**: (no specific requirement)
+
 ## Next steps
 
 - [Learn about listener configuration](configuration-listeners.md)
diff --git a/articles/application-gateway/configuration-infrastructure.md b/articles/application-gateway/configuration-infrastructure.md
@@ -91,6 +91,8 @@ Network security groups (NSGs) are supported on Application Gateway. But there a
 
 - Traffic from the **AzureLoadBalancer** tag with the destination subnet as **Any** must be allowed.
 
+- To use public and private listeners with a common port number (Preview feature), you must have an inbound rule with the **destination IP address** as your gateway's **frontend IPs (public and private)**. When using this feature, your application gateway changes the "Destination" of the inbound flow to the frontend IPs of your gateway. [Learn more](./configuration-listeners.md#frontend-port).
+
 ### Allow access to a few source IPs
 
 For this scenario, use NSGs on the Application Gateway subnet. Put the following restrictions on the subnet in this order of priority:
diff --git a/articles/application-gateway/configuration-listeners.md b/articles/application-gateway/configuration-listeners.md
@@ -5,7 +5,7 @@ services: application-gateway
 author: greg-lindsay
 ms.service: application-gateway
 ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 02/27/2023
 ms.author: greglin 
 ms.custom: devx-track-azurepowershell
 ---
@@ -38,7 +38,20 @@ Choose the frontend IP address that you plan to associate with this listener. Th
 
 ## Frontend port
 
-Choose the frontend port. Select an existing port or create a new one. Choose any value from the [allowed range of ports](./application-gateway-components.md#ports). You can use not only well-known ports, such as 80 and 443, but any allowed custom port that's suitable. A port can be used for public-facing listeners or private-facing listeners, however the same port cannot be used for both at the same time.
+Associate a frontend port. You can select an existing port or create a new one. Choose any value from the [allowed range of ports](./application-gateway-components.md#ports). You can use not only well-known ports, such as 80 and 443, but any allowed custom port that's suitable. The same port can be used for public and private listeners (Preview feature). 
+
+>[!NOTE] 
+> When using private and public listeners with the same port number, your application gateway changes the "destination" of the inbound flow to the frontend IPs of your gateway. Hence, depending on your Network Security Group's configuration, you may need an inbound rule with **Destination IP addresses** as your application gateway's public and private frontend IPs.
+> 
+> **Inbound Rule**:
+> - Source: (as per your requirement)
+> - Destination IP addresses: Public and Private frontend IPs of your application gateway.
+> - Destination Port: (as per listener configuration)
+> - Protocol: TCP
+> 
+> **Outbound Rule**: (no specific requirement)
+
+**Limitation**: The portal currently supports private and public listeners creation only for the Public clouds.
 
 ## Protocol
 
