Inbound traffic to public IP address associated to Azure Firewall Premium

Question

How to allow inbound traffic to public IP address associated to Azure Firewall Premium?

Answer 1

Hi John Emil Billones,

Azure Firewall executes a source NAT to inbound traffic, and every source IP your webserver looks at in an access log is the private IP of Azure Firewall. So You can find the source IP address in the Azure Firewall diagnostic log. The log about DNAT is in AzureFirewallNetworkRule.

https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics#enable-diagnostic-logging-through-the-azure-portal

If you want to direct outbound traffic through the firewall then this traffic will use the outbound IP of the firewall, there is no way to avoid this. Actually, your understanding is correct. IDPS feature on Azure Firewall cannot inspect inbound TLS traffic. To leverage full IDPS rule coverage for inbound HTTPS traffic, you would indeed need to front Azure Firewall with Azure Application Gateway WAF. Actually, you can think this is a best practice for security design since in the real world this task is mostly assigned to WAF devices since for inbound traffic you need to provide a service. And our purpose is to protect our firewall from a DDOS-like attack since the main purpose of the firewall is to control internal traffic.

https://learn.microsoft.com/en-us/azure/firewall/premium-features

To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption.

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview