When to use Azure WAF or Azure Firewall ?

EnterpriseArchitect 5,516 Reputation points
2020-11-15T13:17:27.597+00:00

Hi Folks,

Can anyone here please share some thoughts and comments of when to use Azure WAF or Azure Firewall?
I have already existing Azure ExpressRoute so my Azure VMs can ping my OnPremise servers, and vice versa.

My purpose here is to be able to securely publish Azure Web Application & API that is accessing the database on my OnPremise SQL server.

Thanks in advance.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
704 questions
Azure Web Application Firewall
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
97 questions
0 comments No comments
{count} votes

8 answers

Sort by: Most helpful
  1. suvasara-MSFT 10,056 Reputation points
    2020-11-16T08:32:43.497+00:00

    @EnterpriseArchitect , The Web Application Firewall (WAF) provides centralized inbound protection for your web applications hosted behind Azure services like Azure Application Gateway, Azure Front Door or Azure CDN from common exploits and vulnerabilities. Whereas AZURE Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    9 people found this answer helpful.

  2. suvasara-MSFT 10,056 Reputation points
    2020-11-17T13:55:53.88+00:00

    @EnterpriseArchitect , if you deploy ExpressRoute between your Azure gateway and On-prem then there is no need to deploy firewall at the endpoints as the connection is secured and protected. If you are using Application Gateway load balancing solution here to either load balance or filter the incoming traffic with exclusion rules, then you can implement WAF in front of APPGW as it has core rules sets that obeys OWASP rules that avoid web exploits, SQL injections and other vulnerabilities.

    40357-image.png

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    3 people found this answer helpful.

  3. EnterpriseArchitect 5,516 Reputation points
    2020-11-16T13:28:18.34+00:00

    Hi @suvasara-MSFT , so in my case here, I'd like to publish the App Service with the Database from OnPremise SQL:

    Public Internet Users –connects via the internet--> App Service –gets the data from--> Local OnPremise SQL Database

    or

    Public Internet Users –connects via the internet--> Application gateway (WAF) –secure and protect --> App Service –gets the data from--> Local OnPremise SQL Database

    I assume it is possible using the WAF to prevent the attack coming through the ExpressRoute to my OnPremise?

    0 comments No comments

  4. suvasara-MSFT 10,056 Reputation points
    2020-12-04T09:11:32.613+00:00

    @EnterpriseArchitect ,

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.


    Best regards
    Subhash

    0 comments No comments

  5. Salah 251 Reputation points
    2023-02-24T20:23:42.8733333+00:00

    Hi @EnterpriseArchitect i recommend you to follow the Hub and spoke network architecture, where Hub VNet will host all your security solutions such as Azure WAF, and Azure Firewall

    Your publish application hosted on Azure App Service will be protected from internet traffic using Azure WAF.

    https://zcusa.951200.xyz/en-us/azure/architecture/example-scenario/apps/fully-managed-secure-apps

    Hub and Spoke reference architecture

    https://zcusa.951200.xyz/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal

    https://zcusa.951200.xyz/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

    Azure Firewall is deployed in the Hub VNet to control traffic between the gateway's subnet and the resources in the spoke virtual networks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.