Azure Firewall IDPS for inbound HTTPS traffic

JLaw 46 Reputation points
2023-07-31T22:51:20.9966667+00:00

The Azure Firewall Premium features page states that Azure Firewall only supports outbound and East-West TLS inspection, while inbound TLS inspection is only supported by Azure WAF on Azure Application Gateway.

  1. Does Azure Firewall IDPS cover inbound HTTPS traffic? Is there any Azure Firewall IDPS rules for inbound traffic that require TLS inspection? Presumably this will require fronting with Application Gateway WAF to do inbound TLS inspection before Azure Firewall, which will then perform IDPS on decrypted inbound traffic?
  2. If not, does this mean that Azure Firewall will not decrypt inbound HTTPS traffic and can only apply IDPS rules that do not require TLS inspection (e.g. IP-based filtering, using HTTP headers)?

Trying to understand how to best leverage the full coverage of Azure Firewall IDPS rules for inbound traffic. Otherwise, IDPS is ineffective against inbound HTTPS traffic without TLS inspection.

Thank you.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
782 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sedat SALMAN 14,180 Reputation points MVP
    2023-08-01T04:32:53.62+00:00

    Actually, your understanding is correct. IDPS feature on Azure Firewall cannot inspect inbound TLS traffic. To leverage full IDPS rule coverage for inbound HTTPS traffic, you would indeed need to front Azure Firewall with Azure Application Gateway WAF. Actually, you can think this is a best practice for security design since in the real world this task is mostly assigned to WAF devices since for inbound traffic you need to provide a service. And our purpose is to protect our firewall from a DDOS-like attack since the main purpose of the firewall is to control internal traffic.

    https://learn.microsoft.com/en-us/azure/firewall/premium-features

    To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption.

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.