TLS Inspection in WAF App Gateway and Firewall

Question

TLS Inspection in WAF App Gateway and Firewall

Tan-9136 100

Hi,

WAF App Gateway does inbound TLS inspection only.
How could this be enabled? I don't see this setting in WAF App Gateway.

If I have App Gateway in front of Azure Firewall and there's HTTP(S) request happening, that means TLS inspection on the HTTP(S) request packets is only being done in WAF App Gateway, right?

And following up on the question above for the HTTP(S) response from the server, that means TLS inspection on the HTTP(S) response packets only happen on Azure firewall, right?

Thanks

Accepted answer

0 additional answers

Your answer

Answer 1

Praveen Bandaru 5,520 Microsoft External Staff Moderator

Hello Tan
The WAF App Gateway automatically performs inbound TLS inspection for HTTP(S) traffic from clients as part of its functionality, without needing a specific setting to enable it. For HTTP(S) requests, the WAF App Gateway handles TLS inspection, while Azure Firewall focuses on outbound traffic and does not perform inbound TLS inspection.

Enabling Inbound TLS Inspection in WAF App Gateway:

Please ensure the appropriate certificates are configured in the App Gateway for this inspection.
There is no specific setting to enable this feature; it is automatically applied to incoming requests.
The WAF App Gateway supports inbound TLS inspection for HTTP(S) traffic by default.
After inspection, it can re-encrypt and forward the request to the backend (optional).

When the App Gateway in front of Azure Firewall:

The WAF App Gateway handles TLS inspection for incoming client requests.
The Azure Firewall manages TLS inspection for outgoing server responses, but it does not inspect inbound TLS traffic.

Design intent: Azure Firewall is designed primarily as a network-level security service that controls and inspects egress and internal traffic. Inbound web traffic typically goes through Application Gateway, which is designed to handle HTTP(S), TLS termination, routing, and WAF.

Azure Firewall operates at L3–L7, but it doesn’t handle complex HTTP-level features like App Gateway.
Handling TLS inspection for inbound traffic (from untrusted clients) typically involves managing certificates in a way that’s better suited to a reverse proxy or WAF

Refer the public document: https://learn.microsoft.com/en-us/azure/firewall/premium-features#tls-inspection

Azure Firewall with TLS Inspection shows in the below Diagram: User's image

Check the relevant Q&A threads:

Refer: https://learn.microsoft.com/en-us/answers/questions/2275648/tls-inspection-in-waf-app-gateway-and-firewall

Refer: https://learn.microsoft.com/en-us/answers/questions/2073355/how-would-tls-inspection-work-with-waf-enabled-app

Hope the above answer helps! Please let us know do you have any further queries.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution.

Tan-9136 100 Reputation points

2025-05-15T17:13:28.18+00:00
Hi @Praveen Bandaru ,
Thank you for you reply.
When you said "Appropriate certificates need to configure in App Gateway to enable inbound TLS inspection", were you referring to certificate on the HTTPS listener?

From you explanation, it's confirmed that:

Inbound HTTP(S) request packet will be undergoing TLS inspection ONLY in WAF App Gateway.
No TLS inspection in Azure Firewall when the request goes through Azure Firewall from WAF App Gateway.

The server responds the HTTP(S) request will have its outbound HTTP(S) response packet be going though TLS inspection ONLY by Azure Firewall in L3-L7 but it will not be as comprehensive as the WAF's TLS inspection.
No TLS inspection in App Gateway when response goes through App Gateway from Azure Firewall.

Am I understanding this correctly?
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-05-15T17:33:03.65+00:00

Hello Tan

Thank you for your response.

When you said, "Appropriate certificates need to configure in App Gateway to enable inbound TLS inspection", were you referring to certificate on the HTTPS listener?

Yes, you are correct you need to configure on the HTTPS listener you can refer the public document: https://learn.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal

Note: No additional TLS inspection when returning traffic from Azure Firewall.

Hope the above answer helps! Please let us know do you have any further queries. If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution.
Tan-9136 100 Reputation points

2025-05-15T19:48:30.73+00:00

Thank you @Praveen Bandaru .
So my summary of you explanation is correct then.
Glad to know that there's no additional TLS inspection for the HTTP(S) response done in App Gateway if it comes from Azure Firewall.
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-05-15T20:11:57.24+00:00

Hello Tan
That's Correct, when traffic flows from Azure Firewall to Azure Application Gateway, the Application Gateway does not perform additional TLS inspection on the HTTP(S) response if the TLS session has already been terminated or inspected by the Azure Firewall.
Reference doc: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

TLS Inspection in WAF App Gateway and Firewall

0 additional answers

Your answer