I couldn't find an article on how to do this easily, so this is more for self-reference.
I also don't like screenshots with arrows all over them, so this will use the
azure-cli commands for macOS/Linux. It should be easy enough to figure out how to translate them to Powershell commands or Azure Portal clicks.
It turns out that applying an IP whitelist to Application Gateway isn't actually done on the gateway.
These instructions assume that you already have an Application Gateway configured.
Start by creating a Network Security Group
1az network nsg create \ 2 --name example-nsg \ 3 --resource-group example-rg
Add a rule to the group allowing access from the Application Gateway, you won't be able to assign this to the subnet of the gateway if you don't have this rule.
1az network nsg rule create \ 2 --resource-group example-rg \ 3 --nsg-name example-nsg \ 4 --name example-nsg-allow-ag-nsgsr \ 5 --priority 100 \ 6 --access Allow \ 7 --destination-port-ranges 65200-65535
Now define the rules to deny access for HTTP/HTTPS.
1az network nsg rule create \ 2 --resource-group example-rg \ 3 --nsg-name example-nsg \ 4 --name example-nsg-deny-web-nsgsr \ 5 --priority 500 \ 6 --access Deny \ 7 --destination-port-ranges 80 443
Finally, create the rules to allow access from your whitelisted IP ranges.
1az network nsg rule create \ 2 --resource-group example-rg \ 3 --nsg-name example-nsg \ 4 --name example-nsg-allow-whitelist-web-nsgsr \ 5 --priority 200 \ 6 --access Allow \ 7 --source-address-prefixes 208.130.28/24 \ 8 --destination-port-ranges 80 443
n.b. The priority of the Allow rule must be lower than the Deny rule.
Now you can associate the Network Security Group with the Virtual Network's subnet.
1az network vnet subnet update \ 2 --resource-group example-rg \ 3 --name example-snet \ 4 --vnet-name example-vnet \ 5 --network-security-group example-nsg
Once that propagates all traffic directed to your subnet will be subject to the rules you have defined.
This example blocks all traffic on ports 80 and 443 for that subnet, if you have other web services in the subnet that you don't want to be subjected to the whitelisting you can specify the destinations for the rules.