I'm trying to set up our App Services to be protected by a Palo Alto NVA (Network Virtual Appliance). Is using an application gateway the only solution for this setup? I've already configured an application gateway and managed to get the frontend and backend connections working. However, I'm having trouble routing traffic from clients to the NVA using the frontend IP of the application gateway. My understanding is that it should follow the path: client > app gateway frontend > Palo NVA > backend pool, which only includes a single App Services host. I've attempted to modify the routing table rules on the App Gateway subnet to direct traffic to the NVA, but it seems I'm missing some essential routing rules within Azure's Application Gateway. Also, I want to avoid using a full Azure WAF since we already pay for Palo Alto for other protections. Any advice or insights would be greatly appreciated!
1 Answer
You might not need the app gateway at all to achieve this. We manage a similar setup using a Fortigate NVA without an app gateway. You can set up a Private Endpoint for your App Service and DNAT the incoming traffic directly to the NVA's private IP. This could simplify your configuration.
I was under the impression that private endpoints couldn't be used without an app gateway. But if you managed to do this, it sounds promising. The app gateway felt unnecessary to me too, but I needed a public/private IP pairing for NATing. If you can access the app service publicly, how did you get the private endpoint working?