Hey everyone! I'm currently working on a project aimed at modernizing our cloud setup. We're moving away from a legacy IaaS firewall and WAF system due to its complexity and high costs. In our setup, we use various public IP addresses for different applications primarily in one region, with plans for a secondary region for disaster recovery. I've been researching how to use Azure services to address our needs, particularly if using Azure Firewall Premium in front of an internal Application Gateway configured with WAF would be the best approach. This configuration would be more familiar for us compared to putting the Application Gateway or WAF at the front, given that we currently use firewalls as border devices. If anyone has experience with this type of architecture, I would appreciate any feedback or considerations, particularly since we have production and non-production workloads in the same region and I'm thinking of having separate application gateways for each environment tier. Thanks in advance for your input!
5 Answers
I'm curious about handling certificates with the Application Gateway, especially with the current trend of shorter certificate lifespans. Since Azure doesn't provide a CA for public certs, is there any ACME client that can manage this and ideally deploy certs via Terraform?
We keep things simple by using the Application Gateway for incoming traffic and the firewall strictly for controlling outbound traffic. We're already using Front Door and other gateways for incoming, and now we just need a firewall in place for managing outbound connections to necessary external services.
I'd go with the Application Gateway first for SSL termination and layer 7 routing. Start with the Application Gateway in audit mode to get everything right before making it live. Use the Azure Firewall mainly for internal traffic management.
There's some useful info on different configurations for your setup (like App Gateway first vs. Firewall first). Personally, I've never seen putting the firewall first as effective. Generally, we set up our Application Gateways in their own VNet and connect them to the firewall as the next destination. It's also wise to maintain separate gateways for production and non-production to minimize risks from mishaps. Just remember, if you want different public IPs for each workload, you'll likely need multiple Application Gateways, which could be quite expensive.
Usually, I'd suggest placing the Application Gateway before the firewall. This helps reduce the number of public IPs required on the firewall. If you put the firewall in front, you might miss out on certain WAF features, like geolocation data. Plus, if you're aiming to inspect web traffic, consider SSL offloading at the Application Gateway before it reaches the firewall.
What about non-HTTP traffic? Wouldn't you need an IP/L4 public endpoint for that?
Yes, I'd recommend integrating your Application Gateway with Azure Key Vault for managing certificates. This way, you can manage certificate lifecycles in Key Vault, and the Application Gateway will automatically pick up renewals as necessary.