Forum Discussion
Azure application gateway preauthentication
Hi, I'm wondering if there is a way to securely present applications in Azure that are running on virtual machines whereby the initial client request will not touch the VMs until authentication has been completed.
This post pretty much sums up my question: https://www.reddit.com/r/AZURE/comments/vfohtk/azure_web_application_firewall_on_azure/.
It would be good if App Gateway could operate as the lower half of this image:
It looks like the only way to achieve this is to use Azure AD Application Proxy (not suitable for Azure virtual machines due to unnecessary overhead and performance) or put in additional third party infrastructure at a cost.
Is this on the roadmap at all or is there another way to achieve this using Azure native services?
Thanks,
Neil.
1 Reply
Hi,
Most likely Azure Frontdoor with Authentication Option enabled is a fit for your use-case.
You can point a Front-door to a Load Balancer in front of your VM's and requests will only reach the Load Balancer and by consequence your VM's when the client successfully Authenticates to Frontdoor. The big Advantage is that Frontdoor is a service that lives outside of your VNET's in the Microsoft POP locations. So the traffic will nicely stay out of your environment if not successful authentication occurred. Hope this solves your problem.
