question

venkateshpillai-2392 avatar image
0 Votes"
venkateshpillai-2392 asked ricardosolisvillegas-4678 commented

Application gateway + Azure Firewall (directly going via internet)

I was trying to zero trust setup and achieve the route from application gateway -> central Azure firewall -> (webapp)App Service. But i cannot see the traffic from applicationgw going via AzFw

The current route which has been setup on application gateway subnet is

0.0.0.0/0 -> Internet

The route (UDR) set on appservice subnet is
0.0.0.0/0. -> Az Firewall IP

when i try directly reaching the appservice via hostname I could see the traffic getting generated in Log Analytics with a deny but when i try the same with application gw PIP i cannot see any traffic added to the LA.

I tried the setup based on the doc mentioned here https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

the application still works via appgw PIP but it should get routed via azfw towards appservice



azure-virtual-networkazure-application-gatewayazure-firewall
· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @venkateshpillai-2392

Thanks your your post!

I just wanted to first double check your network environment and based on the article given so, you are trying something like this:


201174-image.png



Looking forward to your feedback,

0 Votes 0 ·
image.png (80.5 KiB)
ricardosolisvillegas-4678 avatar image ricardosolisvillegas-4678 ricardosolisvillegas-4678 ·

Please check the effective routes on each end.

BR,

0 Votes 0 ·
venkateshpillai-2392 avatar image venkateshpillai-2392 ricardosolisvillegas-4678 ·

design4_500.png



This is the diagram from MS doc

0 Votes 0 ·
ricardosolisvillegas-4678 avatar image ricardosolisvillegas-4678 ricardosolisvillegas-4678 ·

Hi,

I did see that you commented but no reflected...

venkateshpillai-2392 commented • 5 minutes ago

I will be waiting for it.

BR,

0 Votes 0 ·
Show more comments
venkateshpillai-2392 avatar image venkateshpillai-2392 ricardosolisvillegas-4678 ·

82073989-f7ec2100-96d1-11ea-8477-c49eec163448.png



This is what i am trying to achieve only change is the backend pool is an appservice instead of Virtual machine

client -> Applicationgateway -> azurefirewall -> AppService

0 Votes 0 ·

Great for the details given!!

Now it is much easier for me to understand.

For now I have a question for ya and it is ... Are you using Public IP's for this enviroment?

BR,

0 Votes 0 ·
Show more comments

1 Answer

ricardosolisvillegas-4678 avatar image
0 Votes"
ricardosolisvillegas-4678 answered ricardosolisvillegas-4678 commented

Hi @venkateshpillai-2392

I would like to provide more details how to get this done... For instance, previously, I was asking you for any usage of PIPs addresses on your network design as well as any FQDN or DNS domain using an A record for this. The reason why I asked for those details is because you are referring that traffic is coming from internet but you can either do it like that or use a ER circuit or IPsec Tunnels from on-premises so, no need to use for PIPs addresses since the end-user is located on-promises.

But assuming that this is Internet based traffic and you want to get this app service to be exposure from internet you should need to do it like this:

201231-image.png


I hope this last comment can help you to get this working as intended!!

Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (74.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @venkateshpillai-2392

I hope you are doing excellent.

Do you have any other concern that I can address?

Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·