I'm currently using a Palo Alto NVA and I'm trying to position my App Services host behind it. Is simply placing an application gateway in front the only option I have? I've set that up already and can access the host from the application gateway's frontend IP, which is a standard v2 (not WAF). I'm having trouble steering traffic from clients to the host through the frontend IP to the NVA. Shouldn't the flow be client > app gateway frontend > Palo NVA > backend pool (which consists of one App Services host)? I've even tried configuring routing table rules on the application gateway subnet to point to the NVA, but it seems like I'm missing something. Are there additional routing table rules within Azure Application Gateway that I'm overlooking? I'm already paying for the Palo Alto for other services, such as S2S VPNs, and I prefer managing all my firewalling in one place instead of paying for a full Azure WAF just to safeguard this single App Services host.
3 Answers
My setup includes App Gateway along with WAF leading to Palo Alto and then to a Private Endpoint for App Services. The WAF provides web firewall protection, while Palo Alto handles TLS inspection. It keeps the security tight!
You can actually achieve this setup without relying on an App Gateway. All you need to do is attach a Private Endpoint to your App Service and then DNAT the traffic to point to the private IP. It should streamline things for you without needing the extra complexity of an app gateway.
In our setup, we maintain a configuration where the WAF sets the X-Azure-FDID header with a secret for the Palo Alto NVA, while the App Service Firewall blocks anything that doesn't use that header. We found that managing an App Gateway was quite costly and hard to handle with Infrastructure as Code, so we moved away from it.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads