Azure AD Application Proxy is an Azure AD Premium cloud service which allows you to easily publish your on-premises web applications to users who work outside the corporate network. It enables you to publish an external public HTTP/HTTPS URL endpoint in the Azure Cloud, which connects to an internal application server URL in your organization. These on-premises web apps can be integrated with Azure AD to support single sign-on (SSO) across devices, resources, and apps in the cloud and on-premises. Azure AD Application Proxy is simple, secure, and cost-effective.
Get rid of your VPN if possible. It’s a very common way for attackers to get into an organization’s internal environment. The usual argument for VPNs is internal applications that need to be accessed outside the corporate network.
But rather than using a VPN, it is much better to use a reverse proxy. And within AzureAD, you have the option of using Azure AD AppProxy, which is a reverse proxy for any user with at least an Azure AD Premium P1 license at no additional cost for any number of applications.
You install a small agent in the form of an Application Proxy Connector on a server in your local environment. This agent then handles the connection between the cloud (Application Proxy Service) and your on-premises environment. There are no incoming connections to open, no ports, no public IP address. Just an outbound HTTPS connection, through which user connection requests are proxied and sent locally from the Application Proxy Connector server to the locally hosted applications.
Azure AD App Proxy takes advantage of all the benefits of Azure AD, whether in terms of high availability, global scaling, resilience to attacks, but also for example conditional access policies. You can easily control who has access to a given internal application and under what conditions using conditional access policies.
And any potential attack is not directed at you and your infrastructure, but at Azure AD. Only successfully authenticated users are forwarded to the on-premises application. And it’s all done very quickly and easily. With Single Sign-On (SSO) support via Kerberos, password, or header-based authentication.
