Forum Discussion
SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you
missed the live session.
*************************************************************
Please join us in this Ask Me Anythin...
Please submit your questions/feedback here.
It might seem obvious but I have not got a consensus (or even a strong trend) on whether it is recommended to have a Firewall in front of the WAF, since we know that this has disadvantages like the visibility and tuning of WAF policies. I would like to hear the architecture recommendation for WAF and FW in a typical hub and spoke customer scenario. If I use WAF in the Hub I could have limitations on distributing Billing per subscription. If I put the WAF with PIP on the spokes I think it goes against the practice of not allowing connectivity from the Internet to an application in an internal zone. I would like to hear clear recommendations on this.
- I think the answer on the call proved the point: We have to choose either Client IPs or IDPS&TI. There is demand for solution that does both. 🙂
Looks to me that these features could be integrated into WAF/AppGW if Microsoft wanted to. 
AlanLaPietraMicrosoft
Nice article describing all the scenarios: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway
