May 04 2021 09:15 PM
Hi Team,
We are looking to implement an Azure Firewall for filtering Inbound HTTPS traffic to Azure Function Apps hosted in premium App service plan. Is it possible to use Azure Firewall for this or Should we be using Azure Web Application Firewall?
Thanks,
Pavan.
May 19 2021 11:08 PM
May 20 2021 03:34 AM
Hi
Azure Firewall operate at layer 4 while WAF operate at layer 7 . Since you want to filter https traffic WAF is more suitable .
You can also find in the FAQ this :
Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols. For best inbound HTTP/S protection, use a web application firewall such as Azure Web Application Firewall (WAF).
Ref: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
May 20 2021 03:53 AM
May 20 2021 04:02 AM - edited May 20 2021 08:08 AM
I'm only referring to Azure Firewall not premium because it's still in preview ( correct me if i'm wrong) and then not recommended for production use . Even if it operates at layer 7 i don't get the point to use a firewall instead of WAF unless you tell me that it can protect from top 10 OWASP vulnerabilities and provide Load balancing options as application gateway do.
Jun 02 2021 01:55 PM - edited Jun 02 2021 01:57 PM
I would suggest using Azure Frontdoor and WAF policy, it's a globally resilient resource compared with regional Application Gateway, also less expensive or at least not so high static monthly costs. Don't forget to add IP restrictions with FDID header value on App Service, then you would achieve Nirvana of Security. :) Azure Firewall is more suitable for outbound scanning, however, the new premium preview SKU supports scenarios with Layer 7 and inbound.