Thank you for reaching out.
The different architectures you described can be used for different purposes and deploying Azure Application Gateway in the Hub or in the spoke will depend on your requirements.
For example, as documented here: In most systems, Azure Firewall Premium is a shared resource. But Web Application Firewall can be a shared network device or an application-specific component. For the following reasons, it's usually best to treat Application Gateway as an application component and deploy it in a spoke virtual network:
- It can be difficult to troubleshoot Web Application Firewall alerts. You generally need in-depth knowledge of the application to decide whether the messages that trigger those alarms are legitimate.
- If you treat Application Gateway as a shared resource, you might exceed Azure Application Gateway limits.
- You might face role-based access control problems if you deploy Application Gateway in the hub. This situation can come up when teams manage different applications but use the same instance of Application Gateway. Each team then has access to the entire Application Gateway configuration.
Based on your question above
So if you have a hub network, lets say with an Azure firewall in the Hub, and your reason for the AZFW is to force all traffic through it (which is the point of a hub I guess) then you'd have traffic incoming to the APPGW at the spoke ----> AZFW ----> Back to the App in the Spoke... This seems odd to me. Why would you want incoming traffic from the Internet to ingress at a spoke? Doesn't that become a manageability nightmare?
I understand your concern here, although based on some common customer scenarios I have come across - A organization has a centralized firewall deployment using which they apply certain firewall policies and rules for the whole organization. Now suppose a specific team wants to deploy Web Application and expose it via Azure Application Gateway as mentioned in the 3rd point above it will be beneficial for them to deploy the Application Gateway in a spoke Vnet so that it is easier for them to maintain the Application Gateway and analyze the WAF alerts and as they will send the traffic via centralized Azure Firewall it will also help satisfy the organizational requirements.
I understand this will not be a requirement for every customer and it is completely fine to deploy an Azure Application Gateway in the Hub Network if that satisfies the requirement.
Additional Architecture references for Azure Application Gateway and Azure Firewall
Hope this helps! Please let me know if you have any additional questions or need any information for APIM service. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.