Forum Discussion
SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
- Hi, my enterprise lacks the following capabilities in Azure:
* Firewall doesn't support ASG
* NSG doesn't support IP Groups
* neither Firewall nor NSG support targeting cloud resources (subnets, VMs) by their Resource ID
* ASG doesn't work behind Vnet peering
This makes ASG a useless segmentation construct for my enterprise.
I raised this question on the call, you expressed interest in learning more about these use-cases which I would be more than happy to demonstrate. Let me know how to proceed. 🙂- gusmodena
Microsoft
TBohunek, please submit your feedback via https://aka.ms/azurenetsecfeedback. I would also recommend you joining the Private Community where you can make a difference in helping us shape our products together by reviewing our product roadmaps, co-design participation, feature previews and stay up to date on announcements.
I would like to know how Azure Firewall IDPS can be configured in following sceanrio. That is Website traffic/incoming request for site from Internet->ApplicationGateway (Sku1)->Azure Firewall Premium->Azure App service
In above scenario How do we configure IDPS (Firewall) Certificate. can we use website's third part certificate (intermediate) while configuring TLS/IDPS or do we need to generate Firewall certificate. Also in Application Gateway do i need to Configure Azure Firewall as backend also upload firewall certificate on Azure Application Gateway.
- andrewmathuHello @htakur03,
Thanks for your question.
To begin with, we would recommend that you use Application Gateway (SKU version 2) as Application Gateway (SKU version 1) will be retired - Deprecation Announcement - April 23, 2023 - https://learn.microsoft.com/en-us/azure/application-gateway/v1-retirement.
For the Azure Firewall Premium, the intermediate certificate is used. You can view the certificate requirements from this page - https://learn.microsoft.com/en-us/azure/firewall/premium-certificates. For production deployments, you should use an Enterprise PKI to generate the certificates that you use with Azure Firewall Premium. This is outlined in this document - https://learn.microsoft.com/en-us/azure/firewall/premium-deploy-certificates-enterprise-ca.
For the Application Gateway backend settings, you will use the root certificate of the Azure Firewall. You can check out this link for the end-to-end setup of Application Gateway with Firewall - https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall. You can also check out this blog on Zero Trust with Azure Network Security, which shows the steps when deploying Application Gateway with WAF, Azure Firewall and Azure DDoS - https://techcommunity.microsoft.com/t5/azure-network-security-blog/zero-trust-with-azure-network-security/ba-p/3668280
It might seem obvious but I have not got a consensus (or even a strong trend) on whether it is recommended to have a Firewall in front of the WAF, since we know that this has disadvantages like the visibility and tuning of WAF policies. I would like to hear the architecture recommendation for WAF and FW in a typical hub and spoke customer scenario. If I use WAF in the Hub I could have limitations on distributing Billing per subscription. If I put the WAF with PIP on the spokes I think it goes against the practice of not allowing connectivity from the Internet to an application in an internal zone. I would like to hear clear recommendations on this.
- I think the answer on the call proved the point: We have to choose either Client IPs or IDPS&TI. There is demand for solution that does both. 🙂
Looks to me that these features could be integrated into WAF/AppGW if Microsoft wanted to. 
AlanLaPietraNice article describing all the scenarios: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway
Valon_Kolica Since Azure Firewall is a highly available solution, I assume that the underlying mechanism for this resource employs some sort of VM/app cluster. Could you give us a bit more insight into how HA is achieved at the backend level? Also, could you let us know if such HA mode is done via either an active-passive (where only one firewall device takes care of the entire traffic load) or active-active (where two or more firewall devices handle the traffic) modes? Finally, how is traffic flow consistency, especially in regard to stateful connections, achieved if HA is done following an active-active model? Thank you
- gusmodena
RodrigoFerraz, Azure Firewall is a cloud-native resource. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It is based off Virtual Machine Scale Set, and by default, there are two active VMSS instances. Azure Firewall gradually scales out when the average throughput or CPU consumption is at 60%, and it takes 5 to 7 minutes. The scale in also happens gradually when the average throughput or CPU consumption is below 20%. Note: The scaling doesn't apply to the Basic SKU, as it has a fixed scale unit to run the service on two virtual machine backend instances.
Azure Firewall doesn't share connection state between the instances. So, in case of scale in a VM instance is put in drain mode for 90 seconds before being recycled. It may also happen when there's a planned maintenance of the Firewall.
For reliability, we recommend deploying Azure Firewall with Availability Zones.
