Passing traffic through Application Gateway without NAT

Amit Sharma 0 Reputation points
2023-09-11T06:13:26.36+00:00

Hi Guys,

Need help, our customer has an Application gateway deployed at perimeter for Load balancing traffic from Internet to Internal servers. Same is used for onprem traffic to Azure servers.

Multiple URLs/Website of customer production are published via this application gateway.

Traffic flow is as below:

For users on Internet: Internet (Client) --> Azure Application Gateway --> Firewall (Not Azure firewall) --> WAF --> ADC --> Internal Servers.

For On Prem user: On Prem Users (Client) --> Express route --> Azure Application Gateway --> Firewall (Not Azure firewall) --> WAF --> ADC --> Internal Servers.

Due to this setup the Firewall doesn't have the Visibility of the actual Client IP, which is becoming difficult to monitor traffic.

Is there a way by which I can keep the Application gateway as it is & remove any NAT, so that we can get Actual Client IP on Firewall.

Also if we replace the Application gateway with Load balancer then can I achieve this use case?

If we use a Load balancer then will i be able to publish URLs like I have done on Application gateway?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
957 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
403 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee
    2023-09-11T21:54:34.0966667+00:00

    @Amit Sharma

    Thank you for reaching out and posting a detailed question here.

    Based on your question above.

    Due to this setup the Firewall doesn't have the Visibility of the actual Client IP, which is becoming difficult to monitor traffic. Is there a way by which I can keep the Application gateway as it is & remove any NAT, so that we can get Actual Client IP on Firewall.

    Currently it is not possible to remove the NAT, as it is a limitation by design for application gateway. However, Application gateway inserts extra header x-forwarded-for which has the original client IP information to all the requests before it forwards it to the backend. More information can be found here.

    If it helps and your objective here is to implement IP restriction, you can implement WAF for your Application Gateway using which you can configure custom rules to implement IP restrictions as shown here. Since Multiple URLs/Website of customer production are published via your application gateway, you can configure per-site WAF policies in Application Gateway.

    Based on your question above.

    Also if we replace the Application gateway with Load balancer then can I achieve this use case?

    Azure Load Balancer does preserve the client IP as the there is no default NAT. In this case the Firewall in your set-up will have visibility for the client IP. I think it will help if you could consider following points below.

    • Although Load balancer operates on layer 4 and doesn't provide application layer gateway functionality due to this you will not be able to manipulate the HTTP traffic using as any rules. Protocol handshakes always occur directly between the client and the back-end pool instance.
    • There are two types of load balancers based on Frontend IP configuration. Private IP address selection creates an internal load balancer. Public IP address selection creates a public load balancer. So, you will have to create public load balancer for your internet clients and internal load balancer for your on-prem clients.
    • It will also help to through these limitation for Load Balancer Backend pool, before implementing this architecture.

    You can also take a look at Gateway Load Balancer and see if it suits your requirements.

    If we use a Load balancer then will i be able to publish URLs like I have done on Application gateway?

    Yes, you can add a DNS name label to your Public IP of the Public Load balancer. As shown below.
    User's image

    For internal Load balancer you can create a Private DNS Zone and create A record for private front-end IP. You can follow the steps mentioned in this thread.

    Hope this helps! Please let me know if you have any additional questions. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments