Add Azure Firewall compatibility with Application Gateway
I have an architecture with multiple subscriptions, virtual networks and connectivity to on-premises. In the hub subscription we use(d) Azure Firewall to filter network traffic between networks.
It appears that Azure Firewall cannot be used in conjunction with Application Gateway, as (apparently?) the health probe traffic is not routed correctly and backend status is deemed as "unknown" even though everything is healthy. Microsoft Support confirmed that this is currently unsupported.
This prevents us from using ready made PaaS solutions (App GW) in order to publish services running in Azure. At the same time, we consider network security a critical matter and do not want to rely on just Network Security Groups.
Aidan Finn commented
Agreed. Even if we do add WAG/WAF with their own PIP, the routing becomes a nightmare. Support for WAG/WAF behind Azure Firewall is a must-have.