Adding firewall in front of web apps in Hub-and-Spoke architecture

Najam ul Saqib 360

Hi,

I am shifting towards hub & spoke model in my Azure subscription so that all the traffic coming into my subscription goes through the firewall.

I have multiple types of resources but I am more concerned about web apps and function apps. How can they be connected to the firewall and still be reached using their DNS name?

Is this a possibility to attach WAF policy with Azure Firewall or do I need Azure Frontdoor separately in the hub to be able to use WAF?

Sikati Fotso Deker 5 Reputation points

2025-01-29T15:59:41.0133333+00:00
To route all traffic through your Azure Firewall while still allowing access to web apps and function apps using their DNS names, you have a few options:

Using Private Endpoints with Azure Firewall

Deploy private endpoints for your Web Apps and Function Apps in the spoke VNet.

Use Private Link to ensure traffic flows through your hub and firewall.

Configure Azure Firewall with DNAT or rules to allow access.

Enable Private DNS zones to resolve the app service's private IP addresses correctly.

Using Azure Application Gateway + WAF

Deploy an Application Gateway in the hub VNet with a WAF policy attached.

Configure backend pools to point to your web apps and function apps using private endpoints.

The App Gateway routes traffic through the firewall before reaching the applications.

Using Azure Front Door with Azure Firewall

Azure Front Door (AFD) provides global WAF capabilities but is public-facing.

It routes traffic to your web apps while enforcing security policies.

Azure Firewall can still inspect outbound traffic from your apps to the internet.

WAF Policy with Azure Firewall?

Azure Firewall does NOT support WAF policies natively.

To enforce WAF protection, you need Azure Application Gateway WAF (regional) or Azure Front Door WAF (global).

Recommended Approach

If you want full security with WAF:

Option 1 (Private Endpoints + Azure Firewall) for internal-only apps.

Option 2 (App Gateway WAF) for regional traffic control.

Option 3 (Azure Front Door WAF + Firewall) for global applications.To route all traffic through your Azure Firewall while still allowing access to web apps and function apps using their DNS names, you have a few options:

Using Private Endpoints with Azure Firewall

Deploy private endpoints for your Web Apps and Function Apps in the spoke VNet.

Use Private Link to ensure traffic flows through your hub and firewall.

Configure Azure Firewall with DNAT or rules to allow access.

Enable Private DNS zones to resolve the app service's private IP addresses correctly.

Using Azure Application Gateway + WAF

Deploy an Application Gateway in the hub VNet with a WAF policy attached.

Configure backend pools to point to your web apps and function apps using private endpoints.

The App Gateway routes traffic through the firewall before reaching the applications.

Using Azure Front Door with Azure Firewall

Azure Front Door (AFD) provides global WAF capabilities but is public-facing.

It routes traffic to your web apps while enforcing security policies.

Azure Firewall can still inspect outbound traffic from your apps to the internet.

WAF Policy with Azure Firewall?

Azure Firewall does NOT support WAF policies natively.

To enforce WAF protection, you need Azure Application Gateway WAF (regional) or Azure Front Door WAF (global).

Recommended Approach If you want full security with WAF:

Option 1 (Private Endpoints + Azure Firewall) for internal-only apps.

Option 2 (App Gateway WAF) for regional traffic control.

Option 3 (Azure Front Door WAF + Firewall) for global applications.
Najam ul Saqib 360 Reputation points

2025-01-29T16:05:24.3366667+00:00

Sorry to say but seems like an AI-generated response to me.
Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-01-29T18:15:05.83+00:00
Hello Najam ul Saqib

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that your focus is on web apps and function apps.

To assist you further, could you please provide the following information:

Are you connecting to web apps and function apps publicly or privately?

Are you trying to connect from on-premises or within Azure?

If connecting from on-premises, how is it connected to Azure (VPN site-to-site, point-to-site, or express route)?

Note:

Azure Firewall does not support the association with Web Application Firewall (WAF). If your requirements include WAF, please consider using Azure Front Door or Application Gateway.

Thanks,

Praveen
Najam ul Saqib 360 Reputation points

2025-01-30T04:58:24.3933333+00:00
@Anonymous

I am connecting to these apps publicly.

Connection to web apps is from open internet. There's though no on-prem network.

No VPN is being used except wireguard which is just to connect to internal resources in Azure
Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-01-30T19:10:56.3233333+00:00

Hello Najam ul Saqib

Greetings!

Thank you for your response.

If you need to access the web apps and function apps that are publicly accessible through the Azure firewall, we can facilitate this. However, please note that there are some limitations when accessing these resources publicly via the Azure firewall.

The optimal solution is to access the web app and function app via Azure Front Door and WAF. Azure Front Door provides benefits such as securing global internet services, optimizing application performance, and enabling fault-tolerant architectures through edge load balancing. Additionally, it allows you to call your application with a host name. WAF features are also available in Front Door, enabling you to restrict any malicious IP addresses.

To access your Web apps and Function apps privately, you can use the Azure firewall with a DNAT rule.
Najam ul Saqib 360 Reputation points

2025-01-31T03:41:16.6766667+00:00

Can you tell me what are the limitations with WAF?

Also, is using application gateway also a good solution with WAF? How does it compares to Front Door?
Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-01-31T16:42:55.3166667+00:00

Hello Najam ul Saqib

Greetings!

Thank you for your response.

It is not possible to associate a web application firewall with Azure Firewall.

Yes, it is possible to associate an application gateway with WAF. However, Front Door is a global load balancer, whereas Application Gateway is a regional load balancer. When you access the Front Door URL, it will check the nearest edge POP location and provide a response.

With Application Gateway, we can configure both public and private frontend IPs.

Kindly check the below public documents for more understanding:

Doc for web application firewall on front door: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview

Doc for web application firewall on application Gateway: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-02-03T10:13:33.95+00:00

Hello Najam ul Saqib

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Regards
Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-02-04T12:35:36.8866667+00:00

Hello Najam ul Saqib

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Regards
Najam ul Saqib 360 Reputation points

2025-02-04T13:44:00.0366667+00:00

@Anonymous Yes, I have few more questions. Where will this Front Door lie in the Hub & Spoke model ideally?

Also, if I have a VPN using wireguard setup in the VM, where should that be in the Hub & Spoke Model?

In my model, all of the web apps traffic will go through FrontDoor WAF and rest of the traffic will be via Firewall. Is that okay?

Can you explain your line "To access your Web apps and Function apps privately, you can use the Azure firewall with a DNAT rule." Aren't we using web apps and function apps via FrontDoor? Let's assume we're using it internally then being in the spoke how traffic of function app will pass through firewall?
Najam ul Saqib 360 Reputation points

2025-02-04T15:28:53.2833333+00:00

P.S. The app service workloads are not integrated with any VNet.

1 answer

Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-02-06T11:10:00.3266667+00:00

Hello Najam ul Saqib

Greetings!

Thank you for your response.

Azure Front Door serves as a global load balancer and does not have regional configurations or integrate with virtual networks, unlike Application Gateway.

To use Front Door, you can maintain the hub resource group and place the function app in spoke resource groups. Additionally, you can implement access restrictions on the function app to permit only Front Door traffic.

Q. In my model, all of the web apps traffic will go through FrontDoor WAF and rest of the traffic will be via Firewall. Is that okay?

Solution: Yes, your observation is correct. You can achieve this by using the scenario mentioned above.

If you need to connect to the client Functions App via Azure Firewall, you must create a DNAT rule pointing to the FQDN of the Function App. The challenging aspect is that the client must direct the FQDN of the Function App to the Azure Firewall's IP. For a global scale implementation, you will need to create a custom domain and point the Azure Firewall IP to it.

I hope this has been helpful!

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.
Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-02-07T08:23:03.2766667+00:00

Hello Najam ul Saqib

Good day!

Just checking in to see if you have had a chance to review my response to your question regarding the issue.

Hope this helps! Please let me know if you have any questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Praveen Bandaru 850 Reputation points Microsoft External Staff

2025-02-10T13:42:32.9166667+00:00

Hello Najam ul Saqib

Good day!

Just checking in to see if you have had a chance to review my response to your question regarding the issue.

Hope this helps! Please let me know if you have any questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Adding firewall in front of web apps in Hub-and-Spoke architecture

1 answer

Your answer