Is Application gateway with WAF send outbound traffic to internet?

Omkar Pasalkar 71 Reputation points
2023-11-09T13:56:38.73+00:00

In a specific scenario where both an Application Gateway with Web Application Firewall (WAF) and Azure Firewall are deployed in parallel, handling incoming HTTP and HTTPS traffic, there's a question regarding the capability of the Application Gateway and WAF to send outbound traffic to the internet.

The inquiry pertains to whether this combined setup, which primarily focuses on processing incoming traffic, possesses the functionality to handle and manage outbound traffic destined for the internet.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
988 questions
Azure Web Application Firewall
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,925 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,436 Reputation points Microsoft Employee
    2023-11-09T15:00:12.3266667+00:00

    Hello @Omkar Pasalkar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if the combined setup of Application Gateway with WAF and Azure Firewall deployed in parallel, possesses the functionality to handle and manage outbound traffic destined for the internet.

    As described in the below doc:

    https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#firewall-and-application-gateway-in-parallel

    User's image

    The Azure Firewall will cover outbound flows from both workload types.

    All outbound flows from Azure VMs will be forwarded to the Azure Firewall by UDRs.

    enter image description here

    So, when Application Gateway with WAF and Azure Firewall are deployed in parallel, Azure WAF in Azure Application Gateway protects inbound traffic to the web workloads, and the Azure Firewall inspects inbound traffic for the other applications. And the outbound flows from both workload types are handled by the Azure Firewall.

    Since, you've tagged AKS, I'm adding information regarding AKS egress traffic functionality using this setup below:

    To limit egress traffic from an Azure Kubernetes Services cluster using this combined setup, please refer:

    https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic

    Outbound requests start from agent nodes to the Azure Firewall internal IP using a user-defined route (UDR)

    • Requests from AKS agent nodes follow a UDR that has been placed on the subnet the AKS cluster was deployed into.
    • Azure Firewall egresses out of the virtual network from a public IP frontend.
    • Access to the public internet or other Azure services flows to and from the firewall frontend IP address.
    • Access to the AKS control plane can be protected by API server authorized IP ranges, including the firewall public frontend IP address.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful