Hello @EnterpriseArchitect ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you want to know the best practices for using Azure Firewall with Web Application behind WAF/Application Gateway.
The answer is - It depends on your requirement. There are 3 common recommended designs as mentioned in this doc:
1) Azure Firewall and Application Gateway in parallel - this is one of the most common designs. Use this combination when you want Azure Application Gateway to protect HTTP(S) applications from web attacks, and Azure Firewall to protect all other workloads and filter outbound traffic.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#firewall-and-application-gateway-in-parallel
2) Application Gateway in front of Azure Firewall - when you want Azure Firewall to inspect all traffic, WAF to protect web traffic, and the application to know the client's source IP address. With Azure Firewall Premium and TLS inspection, this design supports the end-to-end SSL scenario as well.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall
3) Azure Firewall in front of Application Gateway - when you want Azure Firewall to inspect and filter traffic before it reaches the Application Gateway. Because the Azure Firewall isn't going to decrypt HTTPS traffic, the functionality that it's adding to the Application Gateway is limited.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-after-firewall
In all the above 3 designs, both the Azure Firewall and Azure Application gateway (WAF) are deployed in the Hub Vnet. Shared resources in a central hub virtual network connect to applications in separate spoke virtual networks through virtual network peerings.
Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#hub-and-spoke-topology
To configure Azure Firewall in a hub-and-spoke topology, please refer the below docs for more information:
https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.