Confirm if IDPS in Azure firewall is active when behind Azure Application Gateway WAF

Clive Crocker 66 Reputation points
2023-11-23T17:09:08.3+00:00

My scenario is:

[Internet] -> [Azure AGWAF] -> [Azure Firewall] -> [Load Balancer] -> [App Servers]

Azure Firewall is Premium, with IDPS & Threat Intelligence enabled.

Inbound HTTPS traffic hits the AGWAF, is (WAF) filtered and then source & destination NAT'ed to pass via the firewall and hit the inside Load Balancer.

Like this:

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall

My question is this : Given that AGWAF NAT's inbound to come from a private address, and that by default the Firewall IDPS settings include IANA RFC 1918 ranges, all inbound traffic from the AGWAF will be considered as Outbound traffic unless changes are made to that.

  1. Therefore, does the Azure Firewall bypass IDPS filtering of this traffic?
  2. If so, is there any downside to editing these and removing the AGWAF internal address from the private range, hence being considered as Inbound?
  3. In this context, it would seem that Threat Intelligence on the Firewall cannot be of any use as the firewall does not see the original source IP, unless it is smart enough to inspect the X-forwarded-for header.

I would be most grateful for any feedback.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
612 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,011 questions
Azure Web Application Firewall
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 41,156 Reputation points Microsoft Employee
    2023-11-24T06:01:14.2166667+00:00

    @Clive Crocker

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know about IDPS Filtering with Azure App gateway with Azure Firewall integration.

    The below two observations are correct,

    • AGWAF NAT's inbound to come from a private address (App GW subnet).
    • Firewall IDPS settings include IANA RFC 1918 ranges

    However,

    Traffic from the AGWAF will be considered as internal (East-West).

    Refer : IDPS Private IP ranges

    Traffic sent from a private IP address range to a private IP address range is considered internal

    Now, to address your queries,

    1.Therefore, does the Azure Firewall bypass IDPS filtering of this traffic?

    • No.
    • The rules with direction "Internal" gets applied to this traffic.
    • The IDPS Bypass List is a separate feature that allows you to explicitly specify not to filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list

    2.If so, is there any downside to editing these and removing the AGWAF internal address from the private range, hence being considered as Inbound?

    • You can edit the private ranges to exclude the App gateway subnet from Private Address Range
    • There should not be any issue/downside.

    With respect to Threat Protection , I shall check if this supports inspection of X-forwarded-for header internally and let you know

    Cheers,

    Kapil.


0 additional answers

Sort by: Most helpful