question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked MohankrishnaMaladi-2065 commented

When to use Azure WAF or Azure Firewall ?

Hi Folks,

Can anyone here please share some thoughts and comments of when to use Azure WAF or Azure Firewall?
I have already existing Azure ExpressRoute so my Azure VMs can ping my OnPremise servers, and vice versa.

My purpose here is to be able to securely publish Azure Web Application & API that is accessing the database on my OnPremise SQL server.

Thanks in advance.

azure-firewallazure-web-application-firewallazure-firewall-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

suvasara-MSFT avatar image
2 Votes"
suvasara-MSFT answered

@EnterpriseArchitect, The Web Application Firewall (WAF) provides centralized inbound protection for your web applications hosted behind Azure services like Azure Application Gateway, Azure Front Door or Azure CDN from common exploits and vulnerabilities. Whereas AZURE Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.



Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect answered

Hi @suvasara-MSFT, so in my case here, I'd like to publish the App Service with the Database from OnPremise SQL:

Public Internet Users –connects via the internet--> App Service –gets the data from--> Local OnPremise SQL Database

or

Public Internet Users –connects via the internet--> Application gateway (WAF) –secure and protect --> App Service –gets the data from--> Local OnPremise SQL Database

I assume it is possible using the WAF to prevent the attack coming through the ExpressRoute to my OnPremise?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

suvasara-MSFT avatar image
1 Vote"
suvasara-MSFT answered MohankrishnaMaladi-2065 commented

@EnterpriseArchitect, if you deploy ExpressRoute between your Azure gateway and On-prem then there is no need to deploy firewall at the endpoints as the connection is secured and protected. If you are using Application Gateway load balancing solution here to either load balance or filter the incoming traffic with exclusion rules, then you can implement WAF in front of APPGW as it has core rules sets that obeys OWASP rules that avoid web exploits, SQL injections and other vulnerabilities.

40357-image.png





Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


image.png (77.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@suvasara-MSFT can I just deploy one WAF in centralized ResourceGroup, so that my WebApps, AppService and Azure VMs running web server can be secured?
or do I have to deploy one WAF per Resource Group?

1 Vote 1 ·

@suvasara-MSFT

Correct me If I am wrong: Regardless of on-prem or external internet, all the requests should go through the WAF before reaching the App services. What if someone from inside trying to break the system? Please suggest.

0 Votes 0 ·
suvasara-MSFT avatar image
0 Votes"
suvasara-MSFT answered

@EnterpriseArchitect,

If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.


Best regards
Subhash


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.