Azure Firewall Arquitecture
I have a project where i need to deploy an Azure firewall so there are some questions of better practice that i need to resolve before.
- Is it correct that App Gateway or Api Magament Service be inside a NSG? would this cause any issue?
- App Gateway and Api magment are exposed services. Those services need to be out of AZ FW scope? (asymmetric routing problem)
If
I hope you could help me. Regards.
Is it correct that App Gateway or Api Magament Service be inside a NSG? would this cause any issue?
You can use application gateway or Api management service to be inside Network security groups (NSGs) are supported. For the Application Gateway v1 SKU, you should allow incoming Internet traffic on TCP ports 65503-65534, and for the v2 SKU, you can allow incoming Internet traffic on TCP ports 65200-65535, with the source subnet set to Gateway Manager and the destination subnet set to Any.
Azure certificates are used to secure these ports. These endpoints are not able to communicate with external parties, including the gateways' users.
The NSG's default outbound policies permit Internet connectivity. I would suggest
- Keep the outbound default rules in place don't remove
- Do not add any further outbound rules that prohibit any outbound connectivity.
Behind the NSG could be API management services. When a user wants to restrict or allow some ports, NSG can raise an action after pulling that specific resources address from the public internet. if you're using large scale of hardware network virtual services firewall can be used.
In another way in your scenario you can remove NSG and deploy application gateway behind the firewall through application gateway then you can distribute the traffic through API management services accordingly.
App Gateway and Api management are exposed services. Those services need to be out of AZ FW scope? (asymmetric routing problem)
Yes, App Gateway and Api management are exposed services. But these services also protected accordingly please check this Protect APIs with Azure Application Gateway and Azure API Management - and also see Azure Firewall
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions