I'm looking to modernize a cloud environment by replacing an old IaaS firewall and WAF setup that my organization wants to move away from due to complexity and costs. We're using multiple public IPs for various applications, primarily in one region with plans for a second region for production disaster recovery. From what I've read, it seems like the ideal setup would have Azure Firewall Premium at the border, in front of an internal Application Gateway configured with WAF. This would feel more familiar since we currently have firewalls as the border devices. I also want to set up separate application gateways for different tiers of environments (production, development). If anyone has experience with this architecture, I'd love to hear any tips, concerns, or considerations!
1 Answer
I usually suggest positioning the Application Gateway first, followed by the firewall. This way, you can avoid needing multiple public IPs on the firewall and maintain features like geolocation that WAF on the App Gateway utilizes. SSL offloading can also be done at the App Gateway before it reaches the firewall, enhancing web traffic inspection.
What if I have non-HTTP external traffic? Would I need an IP/L4 public endpoint?