question

@EnterpriseArchitect, The Web Application Firewall (WAF) provides centralized inbound protection for your web applications hosted behind Azure services like Azure Application Gateway, Azure Front Door or Azure CDN from common exploits and vulnerabilities. Whereas AZURE Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Hi @suvasara-MSFT, so in my case here, I'd like to publish the App Service with the Database from OnPremise SQL:

Public Internet Users –connects via the internet--> App Service –gets the data from--> Local OnPremise SQL Database

or

Public Internet Users –connects via the internet--> Application gateway (WAF) –secure and protect --> App Service –gets the data from--> Local OnPremise SQL Database

I assume it is possible using the WAF to prevent the attack coming through the ExpressRoute to my OnPremise?

@EnterpriseArchitect, if you deploy ExpressRoute between your Azure gateway and On-prem then there is no need to deploy firewall at the endpoints as the connection is secured and protected. If you are using Application Gateway load balancing solution here to either load balance or filter the incoming traffic with exclusion rules, then you can implement WAF in front of APPGW as it has core rules sets that obeys OWASP rules that avoid web exploits, SQL injections and other vulnerabilities.

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

@EnterpriseArchitect,

If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

Best regards
Subhash