Share via

Is Application gateway with WAF send outbound traffic to internet?

Omkar Pasalkar 91 Reputation points
2023-11-09T13:56:38.73+00:00

In a specific scenario where both an Application Gateway with Web Application Firewall (WAF) and Azure Firewall are deployed in parallel, handling incoming HTTP and HTTPS traffic, there's a question regarding the capability of the Application Gateway and WAF to send outbound traffic to the internet.

The inquiry pertains to whether this combined setup, which primarily focuses on processing incoming traffic, possesses the functionality to handle and manage outbound traffic destined for the internet.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
Azure Web Application Firewall
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
0 comments
Answer accepted by question author
  1. GitaraniSharma-MSFT 50,171 Reputation points Microsoft Employee Moderator
    2023-11-09T15:00:12.3266667+00:00

    Hello @Omkar Pasalkar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if the combined setup of Application Gateway with WAF and Azure Firewall deployed in parallel, possesses the functionality to handle and manage outbound traffic destined for the internet.

    As described in the below doc:

    https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#firewall-and-application-gateway-in-parallel

    User's image

    The Azure Firewall will cover outbound flows from both workload types.

    All outbound flows from Azure VMs will be forwarded to the Azure Firewall by UDRs.

    enter image description here

    So, when Application Gateway with WAF and Azure Firewall are deployed in parallel, Azure WAF in Azure Application Gateway protects inbound traffic to the web workloads, and the Azure Firewall inspects inbound traffic for the other applications. And the outbound flows from both workload types are handled by the Azure Firewall.

    Since, you've tagged AKS, I'm adding information regarding AKS egress traffic functionality using this setup below:

    To limit egress traffic from an Azure Kubernetes Services cluster using this combined setup, please refer:

    https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic

    Outbound requests start from agent nodes to the Azure Firewall internal IP using a user-defined route (UDR)

    • Requests from AKS agent nodes follow a UDR that has been placed on the subnet the AKS cluster was deployed into.
    • Azure Firewall egresses out of the virtual network from a public IP frontend.
    • Access to the public internet or other Azure services flows to and from the firewall frontend IP address.
    • Access to the AKS control plane can be protected by API server authorized IP ranges, including the firewall public frontend IP address.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.