How would TLS inspection work with WAF enabled App Gateway and Azure Firewall?

Question

Hi,

I have been struggling with this from a while now. Our design has WAF enabled App gateway for incoming HTTP / HTTPS traffic from internet and then have Azure Firewall behind it. Have couple of queries for which I need assistance:

1: Does WAF has TLS inspection feature (the same way Azure Firewall does)? If yes, in that case does it make sense to enable TLS inspection in Azure Firewall as well as WAF?
2: Azure Firewall generates a new Certificate for website which is being accessed by the Client and present that certificate to the client. How would WAF and Azure firewall would together in this if they both have TLS inspection enabled?

Please assist and share if there is an article that explains how this setup can be done and how would it work.

Answer 1

Hi Rakesh Singh,

Good day!

Welcome to the Q&A Platform for Microsoft! We appreciate you posing your query here.

• Azure Web Application Firewall (WAF) on the Application Gateway does not perform TLS inspection.

The following use cases are supported with Azure Firewall:

• Outbound TLS Inspection

To protect against malicious traffic that is sent from an internal client hosted in Azure to the Internet.

• East-West TLS Inspection (includes traffic that goes from/to an on-premises network)

To protect your Azure workloads from potential malicious traffic sent from within Azure.

The following use case is supported by Azure Web Application Firewall on Azure Application Gateway:

• Inbound TLS Inspection

To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption.

Refer: https://learn.microsoft.com/en-us/azure/firewall/premium-features#tls-inspectionHi Rakesh Singh,

Good day!

Welcome to the Q&A Platform for Microsoft! We appreciate you posing your query here.

• Azure Web Application Firewall (WAF) on the Application Gateway does not perform TLS inspection.

The following use cases are supported with Azure Firewall:

• Outbound TLS Inspection

To protect against malicious traffic that is sent from an internal client hosted in Azure to the Internet.

• East-West TLS Inspection (includes traffic that goes from/to an on-premises network)

To protect your Azure workloads from potential malicious traffic sent from within Azure.

The following use case is supported by Azure Web Application Firewall on Azure Application Gateway:

• Inbound TLS Inspection

To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption.

Refer: https://learn.microsoft.com/en-us/azure/firewall/premium-features#tls-inspection

Azure Firewall with TLS Inspection shows in the below Diagram:

__NOTE: __TLS 1.0 and 1.1 are being deprecated and won’t be supported. TLS 1.0 and 1.1 versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable, and while they still currently work to allow backwards compatibility, they aren't recommended. Migrate to TLS 1.2 as soon as possible.

Refer: https://learn.microsoft.com/en-us/azure/firewall/premium-features#tls-inspection

---

Application Gateway Before Firewall Please refer the below document:

Refer: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

• With Azure Firewall Premium, this design can support end-to-end scenarios, where the Azure Firewall applies TLS inspection to perform IDPS on the encrypted traffic between the Application Gateway and the web backend.

Please review the provided documentation to better understand how the complete setup works and let us know if it works or not.

---

If you feel that your quires have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.

We are pleased to help you.

I look forward to your response and appreciate your time on this.

Regards,

Ganesh