Implementing Azure Firewall and Application Gateway in parallel

Question

We have an existing Azure Application Gateway(AGW subnet) with WAF policies defined in our main VNET where host(host subnet) and proxy(proxy subnet) machines also reside. We have another VNET for SFTP servers(sftp subnet). Now we are implementing Azure Firewall(Premium) to enable the IDPS feature. We implemented the firewall in a completely new VNET(firewall VNET) under firewall subnet. Almost all the configurations is completed for the firewall using terraform and we are able to access all our machines via SSH & RDP(configured DNAT rules in firewall). Coming to the web traffic- HTTP(S) we are still not sure how it is flowing. Our plan is to implement both firewall and AGW in parallel. I am following the below documentation but not sure where to create the route table or how to define the UDRs for the scenario, especially to implement it using terraform.

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#firewall-and-application-gateway-in-parallel

To implement this scenario whether the firewall and AGW should reside on the same VNET?

I have a route table created with only one route defined as below

route {
    name                   = "route_internet"
    address_prefix         = "0.0.0.0/0"
    next_hop_type          = "VirtualAppliance"
    next_hop_in_ip_address = azurerm_firewall.fw.ip_configuration[0].private_ip_address 
  }

All the three subnets of host, proxy and sftp servers are associated with this route table.

I am a complete beginner to networking. Any leads will be really helpful. Thanks in advance.

Answer 1

@Reshma Nair

Thank you for reaching out.

I understand you have implemented Application Gateway and Azure Firewall in parallel.

To implement this scenario whether the firewall and AGW should reside on the same VNET?

No that is not a requirement, you can establish this connectivity using VNET peering as described here. Deploying them in the same VNET does simplify the routing because Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. More details here.

If it helps you can also go through this answer I posted a few days ago which describes the advantages of deploying an Application Gateway on the peered VNET.

I am following the below documentation but not sure where to create the route table or how to define the UDRs for the scenario, especially to implement it using terraform.

Depending on desired traffic flow.

• If Application Gateway is located in the same VNET as backend HTTP server then the system routes I mentioned above are already created, so when a request arrives at Application gateway it is forwarded to the Backend HTTP server. The response packet will use the system route and forwards the traffic to application Gateway again (This traffic flow is expressed in the image below). Now even though you have a default route for the VM's subnet 0.0.0.0/0 to NVA this route will not be selected because the system route is more specific. This section here on how azure selects a route can be helpful in understanding this scenario.

If this is the desired traffic flow then only the default route mentioned in your question is required and not additional UDRs should be added.

If this is not the desired traffic flow, then it will help if you could share network diagram of your set-up and showcasing where Application gateway, Azure Firewall and Backend servers are located and the desired traffic flow.

Hope this helps! Please let me know if you have any additional questions. Thank you!

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.