Best practices for Azure App gateway before Azure firewall

Question

Hello Community members I am looking for best landing zone practices with azure App gateway before Azure firewall&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

pradeepdeiva · Answer

Ganesh1903&nbsp;The Landing zone prep and implementation process is more about the type of the Org u want to migrate and the level of governance u need to have . the hub spoke scenario is not new and it doesn't play a major part in getting the landing zone ready coz the firewall architecture and all its Networking components will be grouped under a Networking / Connectivity Subscription .&nbsp;Landing Environment design areas should consider Identity /Access , Network , Billing and Resource. For compliance do consider Security, Management and Governance . For all the subscribing division u have make sure to assign proper Role to Manage , Policy to Govern , security and Traffic Monitoring.&nbsp;&nbsp;After you decide and align the above ,decide on the implementation option - we have several, like Migration, BluePrint , Terraform Modules &nbsp;and Partner - choose the best for you and work it out&nbsp;For more info - check ,&nbsp;https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-options&nbsp;Do consider using the Landing zone accelerator &nbsp;- Iam sure ur aware of this , this has lot of options on pre prepared ARM templates which are easy to be modified and used accordingly .&nbsp;&nbsp;Hope this helps u out on the basic layout of the landing zone prep and factors to consider .

pradeepdeiva · Answer

this is a very open ended question and the reply could be &nbsp;quite vast , but to give u some crisp answer - mine is specific to check points on APP Gateway - check on these parameters , the number one would be WAF , creation of proper Vnets and Subnets, monitor the traffic , creation of workspace to store the logs , threat detection and automation of alerts notification , associating NSG and using dedicated subnets for critical applications . also stick to the basics like user access of the application and network admin (lesser the access given better the job done). if you want more info let me know , can give u some articles from MS docs for reference . this would be a good start - https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/application-gateway-security-baseline

ganesh1903 · Answer

We are designing new Landing zone in Hub and spoke model
where we are planning to place Azure app GW before Azure firewall in Hub and workloads in
other spoke ,I am looking for best practices for this scenario and any example will be great .

brandon_tahedl · Answer

Ganesh1903&nbsp;Hi there,I think it's still not 100% clear as a hub/spoke model doesn't really have to do much with a landing zone. That network model is often most relevant for the infrastructure itself and the management behind the scenes, versus the functionality of a landing page.Regardless, this image might help you out with what you're looking to achieve. Have a WAF in front of it or use something like Azure Front Door in front, then the App Gateway sitting in a vNet behind that:

Forum Discussion

Best practices for Azure App gateway before Azure firewall

4 Replies

Resources