Azure landing Zone With Application GW and Azure Firewall

If you just want for web traffic try using only Web application gateway only with WAF functionality. for my environment which hosts mostly webservers we used Web application gateway with WAF functionality and removed the firewall completely . Enable your WAF with OSWAP and bot protection

Hello Ganesh,

In your proposed landing zone, if the web server traffic needs to go to the internet, it would be routed through the Azure Firewall in the hub. You can use Azure Firewall's network rules to allow outbound traffic from the web servers in the spoke to the internet via the Azure Firewall in the hub. In addition, you can use application rules to allow or deny specific traffic based on FQDN, IP address range, port, and protocol.

As for best practices, it depends on your specific requirements and the services you are using. However, some general best practices for landing zones in Azure include:

Using a hub-and-spoke topology to isolate critical services and resources from each other.

Deploying infrastructure as code using tools such as Azure Resource Manager (ARM) templates or Terraform.

Implementing security controls such as network security groups (NSGs), Azure Firewall, Azure DDoS Protection, and Azure Security Center.

Using Azure Monitor and Azure Log Analytics to monitor and analyze resource health and performance.

Implementing identity and access management (IAM) controls such as RBAC and Azure AD.

I hope this helps! Let me know if you have any further questions.

Cheers,

Luke Madden