Sep 19 2022 07:28 AM
Hello Community members I am looking for best landing zone practices with azure App gateway before Azure firewall
Sep 19 2022 07:01 PM - edited Sep 19 2022 10:09 PM
this is a very open ended question and the reply could be quite vast , but to give u some crisp answer - mine is specific to check points on APP Gateway - check on these parameters , the number one would be WAF , creation of proper Vnets and Subnets, monitor the traffic , creation of workspace to store the logs , threat detection and automation of alerts notification , associating NSG and using dedicated subnets for critical applications . also stick to the basics like user access of the application and network admin (lesser the access given better the job done). if you want more info let me know , can give u some articles from MS docs for reference . this would be a good start - https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/application-gateway-security-ba...
Sep 19 2022 10:35 PM
Sep 20 2022 01:57 PM
Hi there,
I think it's still not 100% clear as a hub/spoke model doesn't really have to do much with a landing zone. That network model is often most relevant for the infrastructure itself and the management behind the scenes, versus the functionality of a landing page.
Regardless, this image might help you out with what you're looking to achieve. Have a WAF in front of it or use something like Azure Front Door in front, then the App Gateway sitting in a vNet behind that:
Sep 21 2022 09:21 PM
The Landing zone prep and implementation process is more about the type of the Org u want to migrate and the level of governance u need to have . the hub spoke scenario is not new and it doesn't play a major part in getting the landing zone ready coz the firewall architecture and all its Networking components will be grouped under a Networking / Connectivity Subscription .
Landing Environment design areas should consider Identity /Access , Network , Billing and Resource. For compliance do consider Security, Management and Governance . For all the subscribing division u have make sure to assign proper Role to Manage , Policy to Govern , security and Traffic Monitoring.
After you decide and align the above ,decide on the implementation option - we have several, like Migration, BluePrint , Terraform Modules and Partner - choose the best for you and work it out
For more info - check , https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-o...
Do consider using the Landing zone accelerator - Iam sure ur aware of this , this has lot of options on pre prepared ARM templates which are easy to be modified and used accordingly .
Hope this helps u out on the basic layout of the landing zone prep and factors to consider .