Using Azure Firewall with Web Application behind WAF/Application Gateway?

EnterpriseArchitect 4,866 Reputation points
2022-03-16T12:32:22.75+00:00

People,

What's the best practice in deploying WAF / Web Application Firewall with the Azure Firewall ?

I'm planning to deploy Hub & Spoke network topology like below, but not sure where should I put and configure the Azure Firewall like in the picture below:
183715-image.png

Thanks in advance.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
971 questions
Azure Web Application Firewall
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2022-03-16T13:07:19.157+00:00

    Hello @EnterpriseArchitect ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you want to know the best practices for using Azure Firewall with Web Application behind WAF/Application Gateway.

    The answer is - It depends on your requirement. There are 3 common recommended designs as mentioned in this doc:

    1) Azure Firewall and Application Gateway in parallel - this is one of the most common designs. Use this combination when you want Azure Application Gateway to protect HTTP(S) applications from web attacks, and Azure Firewall to protect all other workloads and filter outbound traffic.
    Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#firewall-and-application-gateway-in-parallel

    2) Application Gateway in front of Azure Firewall - when you want Azure Firewall to inspect all traffic, WAF to protect web traffic, and the application to know the client's source IP address. With Azure Firewall Premium and TLS inspection, this design supports the end-to-end SSL scenario as well.
    Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall

    3) Azure Firewall in front of Application Gateway - when you want Azure Firewall to inspect and filter traffic before it reaches the Application Gateway. Because the Azure Firewall isn't going to decrypt HTTPS traffic, the functionality that it's adding to the Application Gateway is limited.
    Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-after-firewall

    In all the above 3 designs, both the Azure Firewall and Azure Application gateway (WAF) are deployed in the Hub Vnet. Shared resources in a central hub virtual network connect to applications in separate spoke virtual networks through virtual network peerings.
    Refer : https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#hub-and-spoke-topology

    To configure Azure Firewall in a hub-and-spoke topology, please refer the below docs for more information:
    https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps
    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2022-09-22T14:30:22.21+00:00

    Hello @Ganesh Thorave ,

    Replying to your follow-up query posted on https://learn.microsoft.com/en-us/answers/questions/1017577/access-private-endpoints-from-on-premise-with-azur.html?childToView=1019291#comment-1019291

    Routing will be the same as mentioned above even if both the App GW and Azure Firewall resides in the same Hub Vnet as below:

    243924-image.png

    • The client starts the connection to the public IP address of the Azure Application Gateway.
    • On your App gateway subnet, there should be a UDR with destination address space of your VM subnets pointing to next hop Azure Firewall.
    • The request to the Application Gateway public IP is distributed to a back-end instance of the gateway. The Application Gateway instance stops the connection from the client, and establishes a new connection with one of the back ends. The UDR to the VM subnet in the Application Gateway subnet forwards the packet to the Azure Firewall, while preserving the destination IP to the web application.
    • Azure Firewall doesn't SNAT the traffic, because the traffic is going to a private IP address. It forwards the traffic to the respective VM if rules allow it.
    • On the VM subnet, there should be a UDR with destination address space of App gateway subnet pointing to next hop Azure Firewall.
    • The VM answers the request, reversing source and destination IP addresses. The UDR to App gateway subnet captures the packet sent back to the Application Gateway and redirects it to Azure Firewall, while preserving the destination IP toward the Application Gateway.
    • Here again the Azure Firewall doesn't SNAT the traffic, since it's going to a private IP address, and forwards the traffic to the Application Gateway.
    • Finally, the Application Gateway instance answers the client

    Hope this clarifies the routing scenario.

    Regards,
    Gita

    2 people found this answer helpful.

  2. Ganesh Thorave 31 Reputation points
    2022-09-22T06:37:57.133+00:00

    Hello @GitaraniSharma-MSFT

    Need your help on above scenario ,we have Azure Application GW before Azure firewall.
    do you have any example configuration blog/video for exact routing for this scenario ?

    Thanks
    Ganesh

    1 person found this answer helpful.