Application gateway + Azure Firewall (directly going via internet)

venkatesh pillai 21 Reputation points
2022-05-11T18:47:29.233+00:00

I was trying to zero trust setup and achieve the route from application gateway -> central Azure firewall -> (webapp)App Service. But i cannot see the traffic from applicationgw going via AzFw

The current route which has been setup on application gateway subnet is

0.0.0.0/0 -> Internet

The route (UDR) set on appservice subnet is
0.0.0.0/0. -> Az Firewall IP

when i try directly reaching the appservice via hostname I could see the traffic getting generated in Log Analytics with a deny but when i try the same with application gw PIP i cannot see any traffic added to the LA.

I tried the setup based on the doc mentioned here https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

the application still works via appgw PIP but it should get routed via azfw towards appservice

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
570 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,158 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
961 questions
Accepted answer
  1. risolis 8,701 Reputation points
    2022-05-11T23:35:08.153+00:00

    Hi @venkatesh pillai

    I would like to provide more details how to get this done... For instance, previously, I was asking you for any usage of PIPs addresses on your network design as well as any FQDN or DNS domain using an A record for this. The reason why I asked for those details is because you are referring that traffic is coming from internet but you can either do it like that or use a ER circuit or IPsec Tunnels from on-premises so, no need to use for PIPs addresses since the end-user is located on-promises.

    But assuming that this is Internet based traffic and you want to get this app service to be exposure from internet you should need to do it like this:

    201231-image.png

    I hope this last comment can help you to get this working as intended!!

    Regards,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest