Routing Traffic from Azure Front Door to Azure Firewall(Hub vnet) to APIM External Vnet(Spoke vnet) to Azure private Endpoint App Services in Hub-Spoke

Question

Routing Traffic from Azure Front Door to Azure Firewall(Hub vnet) to APIM External Vnet(Spoke vnet) to Azure private Endpoint App Services in Hub-Spoke

tamizh 1

Hello,

i am working to build a concept by Hub-Spoke architecture. I am using Azure Front Door as a global service to route incoming requests.
A hub and spoke are deployed and they are configure with each other by VPN Gateway to transport traffic between them(by Gateway Transit=enabled).

Azure Firewall is deployed in Hub and will get the request from Azure Front door and forward the traffic to APIM External Vnet in Spoke. Backend Application(Function App) is integrated with APIM
My question,

Is that possible that Azure firewall can transport the traffic from Azure Front door and forward it to APIM External Vnet and my frontend Application should access via Frontdoor URL
if yes, then
-> how could i configure the Azure Firewall to transport the traffic between Azure Front door and APIM (in the spoke)?
-> how can i configure my Frontend Application to be access via Frontend.
-> Flow Internet Connection Should be like:
Azure Frontdoor ->Azure Firewall ->APIM ->Private Endpoint of Service(Ingress)

thank you!

1 answer

Your answer

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @tamizh ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if it is possible to setup an architecture where traffic will be routed from Azure Front Door to Azure Firewall(Hub vnet) to APIM External Vnet(Spoke vnet) to Azure private Endpoint App Services in a Hub-Spoke topology.

Your desired setup should be possible. We have a document explaining a similar architecture that you can refer below:
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/security/hardened-web-app

A custom fully qualified domain name (FQDN) is needed to represent the back-end web app/function app and is mapped through CNAME or A DNS resource records to the public IP address of an Azure firewall.
You can refer the below doc for the steps to configure the above:
https://github.com/Azure/hardened-webapp

The function app is assigned the custom FQDN through the domain verification ID property of the web app. This allows the custom FQDN already mapped to the public IP address of the Azure Firewall to be reused with the web app without altering Domain Name System (DNS) name resolution and network flows.
Refer : https://learn.microsoft.com/en-us/azure/dns/dns-custom-domain

The above custom FQDN is used as a "Custom" backend for your Azure Front Door.

The Azure Firewall is deployed to its own reserved subnet in a virtual network (Hub Virtual Network in the example) and is configured to perform destination network address translation (DNAT) of incoming requests to the private IP address or the private endpoint associated with the web app.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

tamizh 1 Reputation point

2022-11-25T07:59:35.957+00:00

Hi @GitaraniSharma-MSFT ,
Thanks for your reply! I have one question below please tell your comments.
APIM With External Vnet Access type under API Management Subnet, API Management Subnet need to Accept traffic only from Azure Firewall so UDR need to written in API management subnet level to accept the traffic from Azure Firewall.

After writing the above route only, Internet Flow of connection will satisfy right as i mentioned? If i Write the routes in API management will work to accept the traffic from firewall because Backend Function app are integrated with APIM?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-11-30T08:37:26.48+00:00

Hello @tamizh ,

Apologies for the delay in response.

I would need to check this with the APIM team for confirmation.
In the meantime, I would request you to take a look into the below blog which talks about this scenario and some issues that arises due to it:
https://techcommunity.microsoft.com/t5/azure-paas-blog/api-management-networking-faqs-demystifying-series-ii/ba-p/1502056

Regards,
Gita
tamizh 1 Reputation point

2022-12-01T13:43:17.777+00:00

Hi @GitaraniSharma-MSFT ,
As per the blog you specified checked and updating the routes .In Meantime please give me a solution after discussing with APIM Team.

Regards,
Tamixh
tamizh 1 Reputation point

2022-12-19T13:37:32.47+00:00

Hi @GitaraniSharma-MSFT ,
Any Update , I tried specified blog you mentioned and Management Endpoints are connecting but i cant able to connect with Azure Firewall ->Azure External APIM(Internet Rule Disabled)->Function APP.
Above Flow not working, Frontend Application is not connecting with Backend API. Please give your suggestion or any solutions.

Regards,
Tamizh
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-27T19:35:58.753+00:00

Hello @tamizh ,

Apologies for the delay in response.

Could you please clarify what are you referring as "Azure External APIM(Internet Rule Disabled)"?

Also, what are the UDRs configured in your setup?

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-29T15:43:50.727+00:00

Hello @tamizh ,

Could you please share the requested details for further discussion on this issue?

Regards,
Gita
tamizh 1 Reputation point

2022-12-29T17:50:48.407+00:00
Hi @GitaraniSharma-MSFT ,
As per your suggested blog,

I followed steps to configure the Frontend Application with Custom DNS Pointing to Firewall IP.
When i hit the Frontdoor URL, I can able to access only the Login Page of FE Application,After Login homepage of Application not showing because Backend is not getting the connection properly .Error is (failed)net::ERR_CONNECTION_TIMED_OUT
I have Integrated the Function App in Azure APIM. So, Frontend Application need access the API calls in APIM - This part not working Below i have provided the Details of RT, NSG of APIM-Subnet

Details:

Azure Apim is connected as External Vnet.

Azure APIM Subnet-Route Table

Azure APIM-subnet-NSG: To answer to your question,"Azure External APIM(Internet Rule Disabled)" In NSG I have not added Internet as Source(This only i mentioned as Internet rule disabled) instead i have tried with Frontdoor(servicetag) but no luck

Architecture

Please verify above details, Please give some suggestions or solutions ASAP.

With regards,
Tamizh
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-01-04T10:06:53.607+00:00

Hello @tamizh ,

I see that you have created a new post for this issue with additional details: https://learn.microsoft.com/en-us/answers/questions/1144836/index.html
And that has been answered by my colleague @KapilAnanth-MSFT . I would request you to go through his suggestions and let us know the further updates.

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-01-10T15:22:35.717+00:00

Hello @tamizh ,

Could you please provide an update on this post?

Kindly let us know if you need further assistance on this issue.

If you are still facing issues, we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need help with a one-time free technical support, please email us as requested in the private message.

Regards, Gita

Share via

Routing Traffic from Azure Front Door to Azure Firewall(Hub vnet) to APIM External Vnet(Spoke vnet) to Azure private Endpoint App Services in Hub-Spoke

1 answer

Your answer