Add Azure Firewall compatibility with Application Gateway
I have an architecture with multiple subscriptions, virtual networks and connectivity to on-premises. In the hub subscription we use(d) Azure Firewall to filter network traffic between networks.
It appears that Azure Firewall cannot be used in conjunction with Application Gateway, as (apparently?) the health probe traffic is not routed correctly and backend status is deemed as "unknown" even though everything is healthy. Microsoft Support confirmed that this is currently unsupported.
This prevents us from using ready made PaaS solutions (App GW) in order to publish services running in Azure. At the same time, we consider network security a critical matter and do not want to rely on just Network Security Groups.
Just went through a setup which had Azure FW as NVA to find out, we can't route the health status via NVA. It shows as unknown. Please add this ability.
You can have both services - either side by side (Recommended) or chained. See more here - https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway. We are looking to provide a better integration in the future
Joseph Madden commented
Is there any update on this request - I've also tried to use an VPN GW <-- > Azure Firewall <--> Application Gateway.
It seems when you add routing to the Azure Gateway subnet, it fails to work correctly if directed to an Azure Firewall.
Arun Varughese commented
Any update on this request ?
Aidan Finn commented
Agreed. Even if we do add WAG/WAF with their own PIP, the routing becomes a nightmare. Support for WAG/WAF behind Azure Firewall is a must-have.