Azure Application Gateway before Azure Firewall

Azure Application Gateway before Azure Firewall

Same as before, requests came in from customer regarding couple Azure Firewall scenarios. In order to respond with profession, a prior lab is definitely needed.

Usual and common steps are omitted. Only key steps are recorded. For this structure, packets from client to AG must forward to FW for filtering and controlling, then send to VM. After that, VM responds with requested data to client from original route.

In this example, all resources are provisioned in the same Vnet. Key points to make it work:

AG to FW

UDR is configured and apply to AG subnet. UDR indicates that all traffic to VM must go to private IP of Azure Firewall.

Azure Application Gateway before Azure Firewall
Azure Application Gateway before Azure Firewall

VM to FW

UDR is configured and apply to VM subnet, indicating that all packets return to AG must forward to FW.

Azure Application Gateway before Azure Firewall
Azure Application Gateway before Azure Firewall

Azure FW Rules

Azure FW is enabled on the Vnet, which is using classic rules to control packets.

Azure Application Gateway before Azure Firewall

In this example, only one Network rule is configured, which is to allow AG to access VM at port 80.

Azure Application Gateway before Azure Firewall
Azure Application Gateway before Azure Firewall

We can change Action between Allow and Deny, enable Azure Firewall’s Diagnostic settings and verify from logs that packets are indeed sent and filtered by Azure Firewall.

Azure Application Gateway before Azure Firewall

Recap

Key points to make this architecture works,

  1. UDR to AG subnet, pointing to Azure FW private IP
  2. UDR to VM subnet, pointing to Azure FW private IP
  3. Azure Firewall rule configured
  4. (Optional) Enable Diagnostic settings for Azure Firewall for verifying and troubleshooting

Reference:

https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall

--

--

--

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

HTB: Jerry

S3 Access logs parsing using pandas

HackTheBox: (“Ready”) — Walkthrough

Set up an IDS with Filebeat Log Shipping

What to Know Before Using Amazon EKS

Reading Google Sheet Content in GO — GOLANG

Airblock Technologies’ CTO Brian H.

FREE! FREE! Python Paid Course Worth 15k with Study Material,

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yst@IT

Yst@IT

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

More from Medium

Azure Front Door

How to protect Azure Functions using Azure AD?

What are Azure Functions and How to create your first Azure Function?

Event-driven: Azure Functions and Logic Apps