Are webservers behind a WAF safe enough to be classed as trusted

Dan 176 Reputation points
2020-07-02T09:45:56.727+00:00

Hi,

I am after some advise on a hub and spoke design idea.

If I have a hub that contains a firewall and a WAF where the WAF is forwarding traffic onto a webserver in a spoke virtual network. Would you then class that web server / virtual network as trusted and consider domain joining to make management easier?

Looking at reference designs, my understanding is that the hub vNet is treated as your un-trusted zone and then any spokes are trusted? Or would it be wise to have a separate DMZ spoke that is classed as untrusted?

Thanks

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
579 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
966 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 43,806 Reputation points Microsoft Employee
    2020-07-13T07:48:12.477+00:00

    @probi Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
    Looking at reference designs, my understanding is that the hub vNet is treated as your un-trusted zone and then any spokes are trusted => that's true

    It's based on your design and you can perform the POC test and go through. For now design isn't recommend

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.