Azure Application Gateway before Azure Firewall
Same as before, requests came in from customer regarding couple Azure Firewall scenarios. In order to respond with profession, a prior lab is definitely needed.
Usual and common steps are omitted. Only key steps are recorded. For this structure, packets from client to AG must forward to FW for filtering and controlling, then send to VM. After that, VM responds with requested data to client from original route.
In this example, all resources are provisioned in the same Vnet. Key points to make it work:
AG to FW
UDR is configured and apply to AG subnet. UDR indicates that all traffic to VM must go to private IP of Azure Firewall.
VM to FW
UDR is configured and apply to VM subnet, indicating that all packets return to AG must forward to FW.
Azure FW Rules
Azure FW is enabled on the Vnet, which is using classic rules to control packets.
In this example, only one Network rule is configured, which is to allow AG to access VM at port 80.
We can change Action between Allow and Deny, enable Azure Firewall’s Diagnostic settings and verify from logs that packets are indeed sent and filtered by Azure Firewall.
Key points to make this architecture works,
- UDR to AG subnet, pointing to Azure FW private IP
- UDR to VM subnet, pointing to Azure FW private IP
- Azure Firewall rule configured
- (Optional) Enable Diagnostic settings for Azure Firewall for verifying and troubleshooting