Sep 19 2019 11:27 PM
Hello All,
Sep 20 2019 07:01 AM
Will you be implementing this application in multiple regions? The traffic manager routes traffic at the DNS level and has 6 routing methods. The end client will connect directly into the Azure region after hitting the traffic manager and all further traffic will bypass the traffic manager for that session. Depending on your load balancing needs and if you have the application in one region I would recommend the Application Gateway and enabling the Web Application Firewall. This would limit the number of resources and complexity of your networking. This would combine the Traffic Manager, Fortigate Firewall, and the Azure App Gateway.
The routing would look like this.
Internet-->Application Gateway(Web Application Firewall)-->Target Web VM.
This of course is dependent on what other VM's and services you are configuring to site behind the Fortigate. If its just this one VM in a singe region, I would strongly suggest going with the Application gateway instead.
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
Apr 17 2021 01:46 PM - edited Apr 17 2021 01:47 PM
You did not answer the question. Most customers will put the traffic Manager Profile out in front of 3rd party NVA's in azure. With the traffic trying to go from Internet--> Traffic Manger --> NVA's --> App. How do we get the traffic routed to the NVA's when the ATM profile doesn't exist in a subnet. Do we set the backend target as the public IP on the external interface of the NVA? if so, how does the ATM know if the app is healthy because it would only know if the NVA was healthy? this needs to be clearly defined as most of my customers use a HA pair of NVA's. Now if we introduce an app gateway between the ATM and the NVA's then I can route traffic to the app gw on the public ip then i can send the traffic through the nva's with udr's.