6

I have Azure Application gateway in front of Azure API management and could see that in most of the scenarios available on the Internet has firewall in between the Azure Application gateway and Azure API management.

Being Azure Application gateway itself is a firewall, is there any reason to keep Azure firewall BEHIND it.

Improve this question

2 Answers 2

Reset to default
5

In general as a rule of thumb. Azure Firewall is for non-web incoming traffic and all outgoing traffic. App Gateway WAF is for incoming web traffic.

The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities.

Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Ref: Azure Firewall FAQ

As to diagrams that show both this explains it

Azure Firewall alone when there are no web applications in the virtual network.

Application Gateway alone when there are only web applications in the virtual network, and network security groups (NSGs) provide sufficient output filtering.

Azure Firewall and Application Gateway in parallel, the most common design, when you want Azure Application Gateway to protect HTTP(S) applications from web attacks, and Azure Firewall to protect all other workloads and filter outbound traffic.

Application Gateway in front of Azure Firewall when you want Azure Firewall to inspect all traffic and WAF to protect web traffic, and the application needs to know the client's source IP address.

Azure Firewall in front of Application Gateway when you want Azure Firewall to inspect and filter traffic before it reaches the Application Gateway.

ref: Azure Virtual Network security

Improve this answer
4
  • 1
    Great explanation!
    – One Developer
    Oct 15, 2020 at 3:33
  • 1
    In case of AKS, ingress controller replaces API Gateways (APIM), so basically AGIC is "Application Gateway + API Gateway", am I right? (AGIC and Firewall should be in parallel in the HUB of "Hub & Spoke" topology)
    – MD TAREQ HASSAN
    May 22, 2021 at 21:50
  • 1
    @HASSANMDTAREQ - AGIC allows App Gateway to load balance within the cluster by automatic management of routes. It is not a replacement of APIM. APIM allows for a great developer onboarding experience due to the Swagger like dev portal it provides.
    – Rohit
    Feb 24, 2022 at 5:42
  • Hi @Adam Marczak, Does the Azure Firewall deployment aim to be better at securing the Azure Virtual machine instead of the SaaS ?
    – Senior Systems Engineer
    Jun 14, 2022 at 5:38
4
+50

Application Gateway has a WAF feature which is a layer 7 firewall. Since your Application is an API, you layer 7 firewall is more than enough. Also, you can enable DDOS to your VNET so if there is an attack on your Application Gateway's Public IP, then it is taken care by the DDOS protection plan.

Adding Azure firewall between Application Gateway and the APIM doesn't make much sense to me unless and until you want to control the outbound data sent by your APIM to Internet. Azure firewall has Application Security rules, where you can block sending traffic to certain sites or URL.

Regards, Msrini

Improve this answer
2
  • Hi @msrini-MSIT, can you confirm if the Azure Firewall will be much better at securing Azure Virtual Machine instead of SaaS ?
    – Senior Systems Engineer
    Jun 14, 2022 at 5:36
  • 1
    Azure Firewall is majorly used to secure IaaS resources. But you can use it for PaaS as well based on your scenario
    – msrini-MSIT
    Jun 15, 2022 at 8:29

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.