Forum Discussion
SEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you
missed the live session.
*************************************************************
Please join us in this Ask Me Anythin...
I would like to know how Azure Firewall IDPS can be configured in following sceanrio. That is Website traffic/incoming request for site from Internet->ApplicationGateway (Sku1)->Azure Firewall Premium->Azure App service
In above scenario How do we configure IDPS (Firewall) Certificate. can we use website's third part certificate (intermediate) while configuring TLS/IDPS or do we need to generate Firewall certificate. Also in Application Gateway do i need to Configure Azure Firewall as backend also upload firewall certificate on Azure Application Gateway.
andrewmathu
Microsoft
MicrosoftHello @htakur03,
Thanks for your question.
To begin with, we would recommend that you use Application Gateway (SKU version 2) as Application Gateway (SKU version 1) will be retired - Deprecation Announcement - April 23, 2023 - https://learn.microsoft.com/en-us/azure/application-gateway/v1-retirement.
For the Azure Firewall Premium, the intermediate certificate is used. You can view the certificate requirements from this page - https://learn.microsoft.com/en-us/azure/firewall/premium-certificates. For production deployments, you should use an Enterprise PKI to generate the certificates that you use with Azure Firewall Premium. This is outlined in this document - https://learn.microsoft.com/en-us/azure/firewall/premium-deploy-certificates-enterprise-ca.
For the Application Gateway backend settings, you will use the root certificate of the Azure Firewall. You can check out this link for the end-to-end setup of Application Gateway with Firewall - https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall. You can also check out this blog on Zero Trust with Azure Network Security, which shows the steps when deploying Application Gateway with WAF, Azure Firewall and Azure DDoS - https://techcommunity.microsoft.com/t5/azure-network-security-blog/zero-trust-with-azure-network-security/ba-p/3668280
Thanks for your question.
To begin with, we would recommend that you use Application Gateway (SKU version 2) as Application Gateway (SKU version 1) will be retired - Deprecation Announcement - April 23, 2023 - https://learn.microsoft.com/en-us/azure/application-gateway/v1-retirement.
For the Azure Firewall Premium, the intermediate certificate is used. You can view the certificate requirements from this page - https://learn.microsoft.com/en-us/azure/firewall/premium-certificates. For production deployments, you should use an Enterprise PKI to generate the certificates that you use with Azure Firewall Premium. This is outlined in this document - https://learn.microsoft.com/en-us/azure/firewall/premium-deploy-certificates-enterprise-ca.
For the Application Gateway backend settings, you will use the root certificate of the Azure Firewall. You can check out this link for the end-to-end setup of Application Gateway with Firewall - https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall. You can also check out this blog on Zero Trust with Azure Network Security, which shows the steps when deploying Application Gateway with WAF, Azure Firewall and Azure DDoS - https://techcommunity.microsoft.com/t5/azure-network-security-blog/zero-trust-with-azure-network-security/ba-p/3668280