Routig Traffic from Azure Front Door to App-Gateway by Azure FW in Hub-Spoke

Mohamed Elashkr 21 Reputation points
2022-03-21T14:14:01.347+00:00

Hallo,

i am working to build a concept by Hub-Spoke architecture. I am using Azure Front Door as a global service to route incoming requests.
A hub and spoke are deployed and they are configure with each other by VPN Gateway to transport traffic between them(by Gateway Transit=enabled).

Azure Firewall is deployed in Hub and will get the request from Azure Front door and forward the traffic to App Gateway in Spoke.
My question,

  • Is that possible that Azure firewall can transport the traffic from Azure Front door and forward it to App Gateway?
    if yes, then
    -> how could i configure the Azure Firewall to transport the traffic between Azure Front door and App Gateway(in the spoke)?
    -> how can i configure the App Gateway to transport the traffic to an Web App(which is running in ASE ILB)

thank you!

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
582 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
576 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
960 questions
Accepted answer
  1. GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee
    2022-03-30T11:39:27.037+00:00

    Hello @Mohamed Elashkr ,

    Apologies for the delay in response.

    I understand that you would like to implement a Hub-Spoke architecture with Azure Firewall being deployed in Hub and Application Gateway in Spoke. And the incoming requests should be routed by Azure Front Door to Application gateway in spoke Vnet via the Azure Firewall in Hub Vnet.

    I discussed this scenario with the Product Group team and below is their response:

    This is not a common use case. Not sure why Azure Firewall is preferred instead of using Azure Front Door WAF or Application Gateway WAF unless you have a specific L3/L4 traffic filtering use case.

    While we have not tried routing requests from Azure Front Door to Azure Firewall as backend, it should be possible.
    We’d ask to try out the following and see if the requests are being routed correctly:

    1. Set up an Azure Front Door profile.
    2. While adding an origin, choose “Custom” as the origin type.
    3. Under hostname give the public IP address of the Azure Firewall.

    Then you can refer the below doc on how to configure Application Gateway after Azure firewall:
    https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-after-firewall

    You need to configure DNAT rules to make sure that the Azure Firewall will DNAT (and SNAT) the packets to the private IP address of the Application Gateway. Standard VNet routing will make sure that return traffic from the Azure VMs goes back to the Application Gateway, and from the Application Gateway to the Azure Firewall if DNAT rules were used.

    To integrate your ILB App Service Environment with the Azure Application Gateway, please refer below doc:
    https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest