When to use Azure WAF or Azure Firewall ?

Question

Hi Folks,

Can anyone here please share some thoughts and comments of when to use Azure WAF or Azure Firewall?
I have already existing Azure ExpressRoute so my Azure VMs can ping my OnPremise servers, and vice versa.

My purpose here is to be able to securely publish Azure Web Application & API that is accessing the database on my OnPremise SQL server.

Thanks in advance.

Answer 1

@EnterpriseArchitect , The Web Application Firewall (WAF) provides centralized inbound protection for your web applications hosted behind Azure services like Azure Application Gateway, Azure Front Door or Azure CDN from common exploits and vulnerabilities. Whereas AZURE Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 2

@EnterpriseArchitect , if you deploy ExpressRoute between your Azure gateway and On-prem then there is no need to deploy firewall at the endpoints as the connection is secured and protected. If you are using Application Gateway load balancing solution here to either load balance or filter the incoming traffic with exclusion rules, then you can implement WAF in front of APPGW as it has core rules sets that obeys OWASP rules that avoid web exploits, SQL injections and other vulnerabilities.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Answer 3

Hi @suvasara-MSFT , so in my case here, I'd like to publish the App Service with the Database from OnPremise SQL:

Public Internet Users –connects via the internet--> App Service –gets the data from--> Local OnPremise SQL Database

or

Public Internet Users –connects via the internet--> Application gateway (WAF) –secure and protect --> App Service –gets the data from--> Local OnPremise SQL Database

I assume it is possible using the WAF to prevent the attack coming through the ExpressRoute to my OnPremise?

Answer 4

@EnterpriseArchitect ,

If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

---

Best regards
Subhash

Answer 5

Hi @EnterpriseArchitect i recommend you to follow the Hub and spoke network architecture, where Hub VNet will host all your security solutions such as Azure WAF, and Azure Firewall

Your publish application hosted on Azure App Service will be protected from internet traffic using Azure WAF.

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/apps/fully-managed-secure-apps

Hub and Spoke reference architecture

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Azure Firewall is deployed in the Hub VNet to control traffic between the gateway's subnet and the resources in the spoke virtual networks