Azure Application Gateway before Azure Firewall

Azure Application Gateway before Azure Firewall

Image: https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall

Same as before, requests came in from customer regarding couple Azure Firewall scenarios. In order to respond with profession, a prior lab is definitely needed.

Usual and common steps are omitted. Only key steps are recorded. For this structure, packets from client to AG must forward to FW for filtering and controlling, then send to VM. After that, VM responds with requested data to client from original route.

In this example, all resources are provisioned in the same Vnet. Key points to make it work:

UDR is configured and apply to AG subnet. UDR indicates that all traffic to VM must go to private IP of Azure Firewall.

Azure Application Gateway before Azure Firewall
Azure Application Gateway before Azure Firewall

UDR is configured and apply to VM subnet, indicating that all packets return to AG must forward to FW.

Azure Application Gateway before Azure Firewall
Azure Application Gateway before Azure Firewall

Azure FW is enabled on the Vnet, which is using classic rules to control packets.

Azure Application Gateway before Azure Firewall

In this example, only one Network rule is configured, which is to allow AG to access VM at port 80.

Azure Application Gateway before Azure Firewall
Azure Application Gateway before Azure Firewall

We can change Action between Allow and Deny, enable Azure Firewall’s Diagnostic settings and verify from logs that packets are indeed sent and filtered by Azure Firewall.

Azure Application Gateway before Azure Firewall

Key points to make this architecture works,

  1. UDR to AG subnet, pointing to Azure FW private IP
  2. UDR to VM subnet, pointing to Azure FW private IP
  3. Azure Firewall rule configured
  4. (Optional) Enable Diagnostic settings for Azure Firewall for verifying and troubleshooting

https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.