Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
735 questions
Adding firewall in front of web apps in Hub-and-Spoke architecture
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 25%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENU%3C/text%3E%3C/svg%3E)
Najam ul Saqib
360
Reputation points
Hi,
I am shifting towards hub & spoke model in my Azure subscription so that all the traffic coming into my subscription goes through the firewall.
I have multiple types of resources but I am more concerned about web apps and function apps. How can they be connected to the firewall and still be reached using their DNS name?
Is this a possibility to attach WAF policy with Azure Firewall or do I need Azure Frontdoor separately in the hub to be able to use WAF?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 95%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESF%3C/text%3E%3C/svg%3E)
Sikati Fotso Deker 5 Reputation points2025-01-29T15:59:41.0133333+00:00 To route all traffic through your Azure Firewall while still allowing access to web apps and function apps using their DNS names, you have a few options:
- Using Private Endpoints with Azure Firewall
- Deploy private endpoints for your Web Apps and Function Apps in the spoke VNet.
- Use Private Link to ensure traffic flows through your hub and firewall.
- Configure Azure Firewall with DNAT or rules to allow access.
- Enable Private DNS zones to resolve the app service's private IP addresses correctly.
- Using Azure Application Gateway + WAF
- Deploy an Application Gateway in the hub VNet with a WAF policy attached.
- Configure backend pools to point to your web apps and function apps using private endpoints.
- The App Gateway routes traffic through the firewall before reaching the applications.
- Using Azure Front Door with Azure Firewall
- Azure Front Door (AFD) provides global WAF capabilities but is public-facing.
- It routes traffic to your web apps while enforcing security policies.
- Azure Firewall can still inspect outbound traffic from your apps to the internet.
WAF Policy with Azure Firewall?
- Azure Firewall does NOT support WAF policies natively.
- To enforce WAF protection, you need Azure Application Gateway WAF (regional) or Azure Front Door WAF (global).
Recommended Approach
If you want full security with WAF:
- Option 1 (Private Endpoints + Azure Firewall) for internal-only apps.
- Option 2 (App Gateway WAF) for regional traffic control.
- Option 3 (Azure Front Door WAF + Firewall) for global applications.To route all traffic through your Azure Firewall while still allowing access to web apps and function apps using their DNS names, you have a few options:
- Using Private Endpoints with Azure Firewall
- Deploy private endpoints for your Web Apps and Function Apps in the spoke VNet.
- Use Private Link to ensure traffic flows through your hub and firewall.
- Configure Azure Firewall with DNAT or rules to allow access.
- Enable Private DNS zones to resolve the app service's private IP addresses correctly.
- Using Azure Application Gateway + WAF
- Deploy an Application Gateway in the hub VNet with a WAF policy attached.
- Configure backend pools to point to your web apps and function apps using private endpoints.
- The App Gateway routes traffic through the firewall before reaching the applications.
- Using Azure Front Door with Azure Firewall
- Azure Front Door (AFD) provides global WAF capabilities but is public-facing.
- It routes traffic to your web apps while enforcing security policies.
- Azure Firewall can still inspect outbound traffic from your apps to the internet.
- Azure Firewall does NOT support WAF policies natively.
- To enforce WAF protection, you need Azure Application Gateway WAF (regional) or Azure Front Door WAF (global).
- Option 1 (Private Endpoints + Azure Firewall) for internal-only apps.
- Option 2 (App Gateway WAF) for regional traffic control.
- Option 3 (Azure Front Door WAF + Firewall) for global applications.
-
Najam ul Saqib 360 Reputation points
2025-01-29T16:05:24.3366667+00:00 Sorry to say but seems like an AI-generated response to me.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Praveen Bandaru 250 Reputation points Microsoft Vendor2025-01-29T18:15:05.83+00:00 Hello Najam ul Saqib
Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that your focus is on web apps and function apps.
To assist you further, could you please provide the following information:
- Are you connecting to web apps and function apps publicly or privately?
- Are you trying to connect from on-premises or within Azure?
- If connecting from on-premises, how is it connected to Azure (VPN site-to-site, point-to-site, or express route)?
Note:
Azure Firewall does not support the association with Web Application Firewall (WAF). If your requirements include WAF, please consider using Azure Front Door or Application Gateway.
Thanks,
Praveen
-
Najam ul Saqib 360 Reputation points
2025-01-30T04:58:24.3933333+00:00 - I am connecting to these apps publicly.
- Connection to web apps is from open internet. There's though no on-prem network.
- No VPN is being used except wireguard which is just to connect to internal resources in Azure
-
Praveen Bandaru 250 Reputation points Microsoft Vendor
2025-01-30T19:10:56.3233333+00:00 Hello Najam ul Saqib
Greetings!
Thank you for your response.
If you need to access the web apps and function apps that are publicly accessible through the Azure firewall, we can facilitate this. However, please note that there are some limitations when accessing these resources publicly via the Azure firewall.
The optimal solution is to access the web app and function app via Azure Front Door and WAF. Azure Front Door provides benefits such as securing global internet services, optimizing application performance, and enabling fault-tolerant architectures through edge load balancing. Additionally, it allows you to call your application with a host name. WAF features are also available in Front Door, enabling you to restrict any malicious IP addresses.
To access your Web apps and Function apps privately, you can use the Azure firewall with a DNAT rule.
Sign in to comment
Sign in to answer