Need Infrastructure suggestion

Reshmi B 0

The current architecture consists of the following components:

• Hub VNet: Includes a VPN Gateway and Firewall for secure connectivity.

• Public Load Balancer: Distributes traffic to the Public AKS (Azure Kubernetes Service) Cluster.

• AKS Cluster: Hosts containerized applications, with private endpoints configured for secure communication.

• Key Services: o Azure Storage Account o Azure Key Vault for secrets management o Azure Container Registry (ACR) for container images o Redis Cache for caching

Here our environment is shown as public, however I would need to secure our infrastructure. Do I need to configure Application gateway or the Frondoor or both need suggestion and guidlines on this. Thanks in advance!

Sai Prasanna Sinde 3,585 Reputation points Microsoft Vendor

2025-01-08T17:21:14.6166667+00:00

Hi @Reshmi B

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thanks,

Sai.
Reshmi B 0 Reputation points

2025-01-09T16:59:26.0666667+00:00

Hi Sai Prasanna,

Thank you for the update. But what if I configure either of the one ? Also I am having an issue while configuring Frontdoor, I tried configuring FD but its not routing through B2C and I am stuck there. So I moved on to application gateway and here I see only public IP I can add how about private IP as our AKS cluster has both frontend and backend microservices and its been public. I am stuck here with public and private endpoints. Please suggest.

Thanks
Sai Prasanna Sinde 3,585 Reputation points Microsoft Vendor

2025-01-09T22:01:27.25+00:00
Hi @Reshmi B

Good day!

Please go through the below points:

Both Application Gateway and Front Door offers the strongest security posture, sometimes it's not necessary or feasible.

Applications that need web application firewall (WAF) protection but aren't geographically distributed and don't require global load balancing or edge caching. For your reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

You'll manage security and routing within your VNet. This is generally simpler to set up than Front Door.

Globally distributed applications needing high availability, performance optimization (caching, SSL offloading), and edge security with WAF. For your reference: https://learn.microsoft.com/en-us/azure/frontdoor/scenarios

Front Door is a global service, so routing and security policies are managed differently than Application Gateway. For your reference: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#:~:text=Front%20Door%20is%20a%20global,in%20the%20same%20scale%20unit.

It sounds like you're having trouble routing Front Door through Azure B2C.

Ensure your Front Door routing rules are correctly configured to direct traffic to your B2C tenant. Double-check paths, hostnames, and any specific rules related to authentication flows.

Verify your DNS settings are properly configured to point to your Front Door endpoint. Any misconfigurations here can prevent traffic from reaching B2C.

If your B2C application relies on session affinity, ensure its configured correctly in Front Door. This maintains user sessions with the same backend server.

Review your B2C tenant configuration to ensure it's set up to accept traffic from Front Door. This might involve configuring custom domains or reply to URLs.

You're correct that Application Gateway typically uses public IP addresses. However, you can achieve a similar setup for your private AKS cluster using a combination of Application Gateway and internal load balancers.

Create an internal load balancer within your AKS cluster's VNet to distribute traffic to your backend microservices.

Configure your Application Gateway with a private frontend IP address that resides within the same VNet as your AKS cluster.

Configure Application Gateway to route traffic to the internal load balancer. This allows external traffic to reach your backend services securely while keeping them private.

Apply NSGs to the Application Gateway's subnet to restrict inbound traffic to only necessary ports [80 or 443] and sources. For your reference: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#:~:text=security%20admin%20rules.-,Network%20security%20groups,Gateway%20subnet%2C%20but%20be%20aware%20of%20some%20key%20points%20and%20restrictions.,-Important

Enable the Application Gateway's WAF to protect against common web exploits. For your reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-faq#:~:text=Azure%20WAF%20is%20a%20web%20application%20firewall%20that%20helps%20protect%20your%20web%20applications%20from%20common%20threats%20such%20as%20SQL%20injection%2C%20cross%2Dsite%20scripting%2C%20and%20other%20web%20exploits.%20You%20can%20define%20a%20WAF%20policy%20consisting%20of%20a%20combination%20of%20custom%20and%20managed%20rules%20to%20control%20access%20to%20your%20web%20applications.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.
Sai Prasanna Sinde 3,585 Reputation points Microsoft Vendor

2025-01-10T18:46:56.0666667+00:00

Hi @Reshmi B

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thanks,

Sai.
Sai Prasanna Sinde 3,585 Reputation points Microsoft Vendor

2025-01-13T18:56:44.1466667+00:00

Hi @Reshmi B
Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thanks,

Sai.
Reshmi B 0 Reputation points

2025-01-14T16:21:59.1+00:00

Yes, It is helpful. Thank you, I will try to configure the same and let you know
Sai Prasanna Sinde 3,585 Reputation points Microsoft Vendor

2025-01-15T18:48:00.1866667+00:00

Hi @Reshmi B

Glad we could be of help.

Meanwhile could you please close the thread by clicking 'Accept answer' so that it would be helpful to the other community members facing the same issue.

If you have any additional questions regarding this issue, please leave a comment below, and we will address your query.

Thanks,
Sai.

1 answer

Sai Prasanna Sinde 3,585 Reputation points Microsoft Vendor

2025-01-08T00:36:28.5766667+00:00
Hi @Reshmi B

Welcome to the Microsoft Q&A Platform. Thank you for posting your query here.

We should consider implementing both Azure Application Gateway and Azure Front Door Standard/Premium, with a strategy which satisfy your specific needs.

Using both services creates multiple layers of security. An attacker would need to bypass both Front Door's global edge security and Application Gateway's application-level security to reach your AKS cluster. For your reference: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

Azure Front Door Standard/Premium offers robust capabilities in global load balancing, edge security (including WAF at the edge), caching, SSL offloading, URL rewriting, and session affinity on a global scale. For your reference: https://azure.microsoft.com/en-us/pricing/details/frontdoor/#:~:text=Azure%20Front%20Door%20is,available%20in%20two%20tiers%3A

Application gateway offers application-level protection within your VNet. It includes a Web Application Firewall (WAF) for detailed traffic inspection, SSL termination, URL-based routing, and cookie-based session affinity. For your reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview#:~:text=Application%20Gateway%20operates,and%20security%20enhancements.

You can try out below architecture incorporating both services for optimal security and performance:

Internet > Azure Front Door (WAF, Global Load Balancing, Caching) > Azure Application Gateway (WAF, VNet Integration)> Private Endpoints for Key Services > Private AKS Cluster

Benefits of above architecture:

Multiple layers of WAF protection, private AKS cluster, private endpoints for key services.

Global load balancing, caching, and SSL offloading through Front Door.

Front Door and Application Gateway can both scale to handle large amounts of traffic.

Front Door provides global redundancy, and Application Gateway can be configured for high availability within a region.

If your application is strictly for internal use and not accessible from the public internet, then you might only need Application Gateway within your VNet.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.
Please sign in to rate this answer.
Sai Prasanna Sinde 3,585 Reputation points Microsoft Vendor

2025-01-16T18:52:15.4633333+00:00

Hi @Reshmi B

Greetings!

Could you please close this thread by clicking 'Accept answer' so that it would be helpful to the other community members facing the same issue.

If you have any additional questions regarding this issue, please leave a comment below, and we will address your query.

Thanks,
Sai.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Need Infrastructure suggestion

1 answer

Your answer