Connecting Azure FrontDoor to Azure app services through VWAN integrated with Azure firewall

Suwarna S Kale 301 Reputation points
2023-10-20T01:42:10.2666667+00:00

Here is the scenario for the setup we have:

  1. We have one subscription (HUB ) created to deploy secured Azure virtual WAN integrated with Azure firewall with Microsoft paired regions East US (primary region) and West US (secondary region). This is Microsoft managed Hub network.
  2. We have different subscriptions created for each environment such as Dev, UAT, QA, Stage and we have one more which has Prod and DR together so total 6 subscriptions (SPOKE) for these environments and with Spoke vNets
  3. We are trying to use two FrontDoors, one shared between all non-prod subscriptions (will be placed under Dev subscription)and another one shared between Prod and DR (will be placed under shared subscription for Prod and DR)
  4. Now we want to bring Azure FrontDoor and maintain zero trust by creating traffic flow like Azure FrontDoor —> Azure Firewall —> Azure App service —> sql server (This is IMPORTANT for us to maintain zero trust)
  5. Also, we are following some domain driven architecture style so above is one solution architecture we will build using Terraform, Azure DevOps, GitHub
  6. In the future there will be multiple similar environments like this and we are planning to build those using terraform.

Questions as below:

  1. Is it good practice to place FrontDoor under spoke subscription if we really want to achieve zero trust because when we use private link that will be spoke vnet only, so what is the best practice?
  2. Is it good to have two FrontDoors, each for all non-Prod and Prod/DR or using one FrontDoor is good enough understanding our current and future need? Pros and Cons in each scenario?
  3. should we use Hub sbcription to deploy FrontDoor? Or we can still maintain the desired traffic flow FD—>Azure firewall—>app service by placing FrontDoor under spokes?
  4. If we also want to use API management service connecting to app service and Azure API Health services, how the traffic flow will look like (FD -> Azure Firewall -> API Management -> app service)? Also in which subscription we should place API management service (hub or spoke)?
  5. is there by detailed documentation available to follow?

Thanks in advance!

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,805 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
596 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,038 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee
    2023-10-31T05:04:25.9566667+00:00

    @Suwarna S Kale

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Points to note:

    #1 "Subscription" is a logical grouping for billing, it does not dictate latency or connectivity.

    #2 Azure Front Door ----> Azure Firewall traffic is going to happen via Public IP only, so placing the AFD in any specific VNET does not matter

    Now, to address your queries:

    1. Is it good practice to place FrontDoor under spoke subscription if we really want to achieve zero trust because when we use private link that will be spoke vnet only, so what is the best practice?

    1. As mentioned in #1, Front Door can be in any subscription - need not be in same subscription as Firewall.
    2. Can you elaborate on what do you mean by "use private link that will be spoke vnet only"

    2. Is it good to have two FrontDoors, each for all non-Prod and Prod/DR or using one FrontDoor is good enough understanding our current and future need? Pros and Cons in each scenario?

    • This completely depends on Billing and management overhead.
    • The AFD, is completely capable of handling a huge volume of requests.
    • You can use multiple domains with a single AFD for non-Prod and Prod/DR

    3. Should we use Hub sbcription to deploy FrontDoor? Or we can still maintain the desired traffic flow FD—>Azure firewall—>app service by placing FrontDoor under spokes?

    • Refer #2

    4. If we also want to use API management service connecting to app service and Azure API Health services, how the traffic flow will look like (FD -> Azure Firewall -> API Management -> app service)? Also in which subscription we should place API management service (hub or spoke)?

    • It is recommended to place the resource in the same VNET as the Azure Firewall if the resource is going to be integrated into VNET.
    • Subscription does not matter as mentioned in #1

    5. Is there by detailed documentation available to follow?

    As long as you are able to reach the PaaS service

    • Via Public EndPoint
    • or
    • Via Peering/VNET Connection when the PaaS service is VNET Integrated.

    This set up should be configurable.

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments