Azure Firewall for development cost reduction - I need to keep the static IP

Avi Stokar 0

I am in development and the app environment requires a static IP which is registered with 3rd party for their white list. This application also requires an SSL certificate for use as client certificate with this IP. I see that the Azure firewall on this environment is costing a lot of money and I would like to turn it off but I need to keep this static IP address. How can I accomplish this?

Sina Salam 4,056 Reputation points

2024-05-01T23:38:20.19+00:00
Hello Avi Stokar

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

Sequel to your questions, I understand that you are in needs to reduce costs associated with your development environment in Azure while maintaining a static IP address that is registered with a third party for whitelisting purposes. Also, the solution must support the use of an SSL certificate as a client certificate with this static IP address.

Scenario

To understand your unique scenario, Avi Stokar is having an application that requires a static IP which is registered with 3rd party for whitelisting purposes. The application also necessitates the use of an SSL certificate as a client certificate with this static IP address. However, Avi has noticed that the Azure Firewall being used in the environment is causing significant costs. To address this issue, Avi needs to find a cost-effective solution that allows him to maintain the static IP address, preserve the SSL certificate functionality, and reduce expenses associated with the Azure Firewall.

Solution

This proposed solution was based on the scenario given and your questions, while focusing on the problem statement (This is not a separate solution).

Core

Azure Load Balancer (LB) provides basic load balancing based on source IP address and port. Avi can use the Basic SKU, which offers cost-effective load balancing without additional features like SSL termination. You will configure the Azure Load Balancer with a static public IP address to maintain the required IP for whitelisting.

Apply Network Security Groups (NSGs) to the backend subnet to control traffic to your application servers and configure NSGs to allow inbound traffic on the required ports (e.g., HTTPS on port 443) while restricting access as per security requirements.

Implement SSL termination directly within your application servers instead of relying on Azure services like Application Gateway. You will also configure your application to handle SSL termination, decrypting incoming HTTPS traffic and forwarding it to the application logic.

Update DNS Configuration, via DNS records to point to the static public IP address assigned to the Azure Load Balancer.

What you will achieve by the above solution

Static IP Address Maintenance: By using Azure Load Balancer with a static public IP address, you can maintain the necessary IP for whitelisting.

Cost Reduction: Opting for the Basic SKU of Azure Load Balancer can be a cost-effective choice for load balancing. However, it’s important to note that on September 30, 2025, Basic Load Balancer will be retired. You should plan to upgrade to Standard Load Balancer before this date to avoid service disruption.

SSL Certificate Support: Implementing SSL termination at the application level allows you to continue using SSL certificates effectively. This method can handle more connections and ensures that the data remains private and encrypted until it reaches the application servers.

Considerations

There are a few considerations you should keep in mind:

Security: While NSGs can help control traffic, you must ensure they are properly configured to secure the application servers.

SSL Termination: If SSL termination is handled at the application level, you need to ensure that the servers are capable of handling the additional load and that the application is configured correctly to manage SSL connections.

Future Planning: With the retirement of Basic Load Balancer in 2025, you should consider the costs and features of upgrading to Standard Load Balancer, which offers higher performance, security, and an SLA of 99.99%.

Finally

In conclusion, the proposed solution can solve the problem effectively and provide an economical solution for now, but you should also plan for future changes and ensure that security and performance are not compromised.

However, it's essential to acknowledge that the best solution can vary based on nuanced details specific to your application environment, which might not have been fully captured in the provided information by you.

Alternative best solutions

To maintain a static IP address for whitelisting purposes while reducing costs associated with the Azure Firewall, you can consider the following alternatives:

Azure Application Gateway

Azure Front Door

Virtual Network (VNet) Service Endpoints

Azure Bastion

Third-Party Network Virtual Appliances (NVAs)

Please, you should evaluate these options based on the specific security, performance, and cost requirements of his development environment. It’s also advisable to consult with Azure support or a cloud solutions architect to ensure the chosen solution aligns with best practices and long-term objectives. Also, you have to keep in mind the future retirement of certain services, like the Basic SKU of Azure Load Balancer, and plan accordingly.

References

Source: Top 10 Azure Firewall Alternatives & Competitors (Free/Paid) - G2. Accessed. 1/5.2024.

Source 2: Configure IP addresses for an Azure network interface. Accessed. 1/5.2024.

Source 3: Best practices for network security - Microsoft Azure. Accessed. 1/5.2024.

Source 4: Comparing Azure Firewall vs. Network Security Groups (NSGs). Accessed. 1/5.2024.

Also, read more information from the additional resources available by the right side to this page for clarifications.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee

2024-05-02T12:42:22.14+00:00
Hello @Avi Stokar ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please share your network diagram on how the App and Firewall are configured?

How is the traffic flowing as of today? Is it from Internet to App via Firewall?

Is the static IP associated to the Azure Firewall?

Regards,

Gita
Avi Stokar 0 Reputation points

2024-05-02T22:53:09.13+00:00

the environment is setup to have a static IP address which we register with the 3rd party API. Out code is using Azure Functions and app environment is installed using the firewall for security purposes - the function can only be called from internal clients to our Azure environment.
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee

2024-05-06T15:47:10.71+00:00

@Avi Stokar , could you please provide an update on this post?
Avi Stokar 0 Reputation points

2024-05-07T12:24:15.8+00:00

I'm travelling right now, but I will try to move the public IP to the app service as you suggested and let you know my progress
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee

2024-05-08T02:29:27.41+00:00

@Avi Stokar , thanks for the update. I've converted my comment into an answer for the time being. Please share the status from your end once you've checked your setup. If you have any additional questions or encounter further issues, feel free to reach out.

1 answer

GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee

2024-05-03T17:31:42.53+00:00

Hello @Avi Stokar ,

Thank you for the details but I would like to know which resource is associated to the Static IP address.

When you say the static IP is registered with 3rd party for their whitelisting, I believe you are referring to a Static Public IP. So, is this static Public IP associated to the Azure Firewall?

If this Static Public IP is associated to the Azure Firewall, then you need to follow the below doc:

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall#change-the-public-ip-address-for-a-firewall

You can change the public IP address associated with the firewall but note that a firewall must have at least one public IP address associated with its configuration. Also, you can't update the IP address if the firewall's existing IP has any destination network address translation (DNAT) rules associated with it.

So, if you would like to retain the existing Static IP address associated with the Azure Firewall and stop the Azure Firewall for cost reduction, then you need to first change the IP address of the Azure Firewall.

To stop Azure Firewall, refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#how-can-i-stop-and-start-azure-firewall

But to make sure that the app is still accessible using the existing static IP, you would need to associate it back to a resource depending upon your requirement.

You could either add it directly to your app if you are using an Azure App service.

Refer: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings

Or you need to introduce another resource which can help you with the inbound connections, such as Azure Application gateway, Load balancer, Front Door etc.

If you could share your exact setup with the traffic flow from the 3rd party to the app and the new requirement, we can discuss it further.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Azure Firewall for development cost reduction - I need to keep the static IP

Problem

Scenario

Solution

Core

What you will achieve by the above solution

Considerations

Finally

Alternative best solutions

References

Accept Answer

1 answer