We're currently onboarding several applications to Azure in a hybrid environment. On our on-premise side, we're using an F5 balancer where separate virtual IPs are provisioned for each load-balanced service. This setup allows us to filter traffic efficiently at Layer 4 instead of Layer 7. Now, we're considering the Azure Application Gateway for load balancing to expose our Azure apps to on-premise applications due to our multiple hybrid integrations. However, I've noticed that the Application Gateway only supports a single private IP per instance. This means that if we have 5 apps in Azure, they would all have to share the same frontend IP. While this isn't necessarily a bad thing, we're looking for alternatives because of our current practices and security concerns. Ultimately, we're open to reusing a single frontend IP and configuring firewalls to filter using FQDNs, but I'm curious if there are other options besides using NVAs on VMs.
2 Answers
You could set up an Azure Firewall with DNAT rules, attaching multiple public IPs to it. The Firewall would sit in front of the private IP of your Application Gateway. It's not the most ideal setup, but it might work for your needs. If you're considering ease of management, maybe go for a dedicated Application Gateway for each app, treating them as independent services. But really, shared IPs can be a valid solution as long as it's zone redundant.
It might be worth reconsidering the whole idea of shared IPs. They really are the norm these days. If you're okay with Azure, then you might want to embrace shared IPs and just filter using FQDNs on the firewall instead of focusing on IP addresses. Plus, with Azure's private endpoints, you can actually get dedicated private IPs for most of your services, which could be a good compromise.
Related Questions
Fix Not Being Able To Add New Categories With Intuitive Category Checklist For Wordpress
Get Real User IP Without Installing Cloudflare Apache Module
How to Get Total Line Count In Visual Studio 2013 Without Addons
Install and Configure PhpMyAdmin on Centos 7
How To Setup PostfixAdmin With Dovecot and Postfix Virtual Mailbox
Dovecot Error Unknown database driver mysql