Thank you for reaching out and posting a detailed question here.
Based on your question above.
Due to this setup the Firewall doesn't have the Visibility of the actual Client IP, which is becoming difficult to monitor traffic. Is there a way by which I can keep the Application gateway as it is & remove any NAT, so that we can get Actual Client IP on Firewall.
Currently it is not possible to remove the NAT, as it is a limitation by design for application gateway. However, Application gateway inserts extra header x-forwarded-for
which has the original client IP information to all the requests before it forwards it to the backend. More information can be found here.
If it helps and your objective here is to implement IP restriction, you can implement WAF for your Application Gateway using which you can configure custom rules to implement IP restrictions as shown here. Since Multiple URLs/Website of customer production are published via your application gateway, you can configure per-site WAF policies in Application Gateway.
Based on your question above.
Also if we replace the Application gateway with Load balancer then can I achieve this use case?
Azure Load Balancer does preserve the client IP as the there is no default NAT. In this case the Firewall in your set-up will have visibility for the client IP. I think it will help if you could consider following points below.
- Although Load balancer operates on layer 4 and doesn't provide application layer gateway functionality due to this you will not be able to manipulate the HTTP traffic using as any rules. Protocol handshakes always occur directly between the client and the back-end pool instance.
- There are two types of load balancers based on Frontend IP configuration. Private IP address selection creates an internal load balancer. Public IP address selection creates a public load balancer. So, you will have to create public load balancer for your internet clients and internal load balancer for your on-prem clients.
- It will also help to through these limitation for Load Balancer Backend pool, before implementing this architecture.
You can also take a look at Gateway Load Balancer and see if it suits your requirements.
If we use a Load balancer then will i be able to publish URLs like I have done on Application gateway?
Yes, you can add a DNS name label to your Public IP of the Public Load balancer. As shown below.
For internal Load balancer you can create a Private DNS Zone and create A record
for private front-end IP. You can follow the steps mentioned in this thread.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.