Share via

azure site recovery

eg1995 1,146 Reputation points
2021-09-21T12:29:49.237+00:00

dears,

i have a 3 tiers web app deployed in a hub and spoke model. inside the hub i have a vpn GW connected to on premises, then an nva and then the application gateway. within the spokes in front of each tier configured in an availability set we have an internal load balancer. So communication will be from the firewall to the application gateway then to the load balancer infront of the web tier. Second spoke is for uat with the same 3 tiers architecture.

i am willing to deploy azure site recovery for the whole deployment, so i know all of this resources will be recreated in the target region.

so i will provision a new vpn gateway connection, new app gw and new firewall in the hub vnet. In the spoke i will create same architecture with same load balancers and the app gw will reach at first the IP of the internal load balancer.

my question here would be regarding the failover of the web tier, i know we can use either front door either traffic manager, but as the first point of contact is my firewall in the hub, can i use the firewall as an endpoint for either the traffic manager either the front door? because when i choose a cloud PAAS service as endpoint my azure firewall is not under the list and when i choose a public IP it it requesting to have a dns name on it.

can u advise please?

thank you

Azure Site Recovery
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
718 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steve D 1 Reputation point Microsoft Employee
    2021-09-28T20:21:27.197+00:00

    I just want to add that for HTTP/HTTPS Web Traffic, we usually see customers protect with WAF (Web Application Firewall). I don't claim expertise in all NVA vendors (there are many), but the WAF and the Firewall can be deployed separately (i.e. consider the F5 WAF and Fortinet FW).

    In this architecture, you route the DNS resolved FQDNs to the Traffic Manager (CNAME record in DNS) and the TM has the profiles configured to support ACT/ACT, ACT/STB, ...etc.). Usually I have seen the Traffic Manager pointing to the Azure LB (public IPs front ends) with backend pools being WAF VMs (Marketplace NVAs). The WAF does the L7 inspection and FW functions and SSL offload (or not) and then it routes the traffic to the Azure service running your web apps.

    If you want to use Azure Front Door instead of TM, then it has a built-in WAF and you don't need the WAF Marketplace appliance for that part. If you want to stay with TM, you can even use a Azure Application GW (has a WAF SKU) as the next hop (instead of the standard LB and it will perform your WAF functions and route traffic to the Web Tier (web apps).

    I usually see the Firewall function come into play when traffic must route "east-west" among your tiers (Web to Front end, FE to BE). While NSGs can compliment this, customers usually use UDR routing to force all Inter-Subnet traffic through the Firewall, and this firewall can be an NVA appliance or the Azure FW.

    There are many ways to do it, but this is one that seems to have alot of adoption.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.