none
Recommended Architecture for App Gateway (WAF) + Azure Firewall

    Question

  • Hi 

    I would like to know if anyone has successfully deployed Azure WAF (App GW) + Azure Firewall for handling network traffic in a hub-spoke model. Here is the network traffic flow requirement:

    1. web-traffic (HTTP/HTTPS): <user> -- <internet> -- <app gw> -- <azure firewall> -- <backend in a peer VNet>

    2. non-web-traffic(SSH,RDP): <user> -- <internet> -- <azure firewall> -- <backend in a peer VNet>


    Any information would be useful. 

    Thank you

    Friday, March 15, 2019 2:27 AM

Answers

  • Hi, 

    For the first scenario, you cannot add NVA to the backend pool of Application gateway. You will be adding Web server and you need to apply an UDR on the gateway subnet to force the traffic to NVA. 

    Note: This will work for V1 SKU and doesn't work with V2 SKU as adding UDR to the gateway subnet is not allowed. 

    For the second scenario, Application gateway is out of picture, and your clients will be directly accessing the Azure Firewall IP and it will forward the packet to the destination based on the DNAT rules you configured in Azure Firewall. 

    Let me know if you have any further questions. 

    Regards, 

    Msrini

    Friday, March 15, 2019 4:49 AM
    Moderator

All replies

  • Hi, 

    For the first scenario, you cannot add NVA to the backend pool of Application gateway. You will be adding Web server and you need to apply an UDR on the gateway subnet to force the traffic to NVA. 

    Note: This will work for V1 SKU and doesn't work with V2 SKU as adding UDR to the gateway subnet is not allowed. 

    For the second scenario, Application gateway is out of picture, and your clients will be directly accessing the Azure Firewall IP and it will forward the packet to the destination based on the DNAT rules you configured in Azure Firewall. 

    Let me know if you have any further questions. 

    Regards, 

    Msrini

    Friday, March 15, 2019 4:49 AM
    Moderator
  • thank you, Msrini! appreciate your response, I will give this a try. 

    do you see any drawbacks/limitations to using V1 vs V2?

    In your approach, would you recommend actually forwarding web traffic through NVA/firewall after app-gw? or is app-gw enough?

    21 hours 40 minutes ago
  • Hi, 

    V2 is the latest version where you can leverage features like auto scaling, static IPs and so on. 

    If you have AppGW with WAF feature, you can skip NVAs. But its upto the customers as they might use NVAs for compliance purpose. 

    Please 'Mark as answer' if any of the replies helped, so that others in the community who are looking for similar question, can benefit from it.

    Regards, 

    Msrini

    20 hours 36 minutes ago
    Moderator