Azure App Gateway with backend Static Website in Storage account

GRAY Mike 161 Reputation points
2024-01-10T16:24:41.55+00:00

Hi,

I was hoping you may be able to help with a problem I may have. I current have a Static Web Site hosted in a Storage Account. This static Website call a Function App API as the backend. We have deployed the access to the Web site and Function API via an Application Gateway where we have Multi-Site listeners for both routes on the geteway. The backend pool are the Static Website and the API.

The issue I have is that I have been asked to direct all the traffic via the Azure Firewall. This mean creating routes for next hop communication from the resources. If this was via VMs hosted in a network I have not issue with this. Can someone advise how I achieve this when using Storage Account Static Website hosting and a Function App API.

Thanks

Mike

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,063 questions
Accepted answer
  1. Silvia Wibowo 3,906 Reputation points Microsoft Employee
    2024-01-15T22:52:46.53+00:00

    Hi @GRAY Mike , I understand that you need to put Azure Firewall behind an Application Gateway, then from Azure Firewall, traffic goes to Azure Storage Blob (static website).

    Let's break it down into 2 parts:

    1. Azure Firewall behind an App Gateway. There is no issue on this part, is there? App Gateway (with HTTPS listener, custom domain) -> HTTP Port 80 to Azure Firewall's public IP address.
    2. Azure Firewall in front of Azure Blob Storage (static website). Configure Azure Firewall with DNAT rule: receiving HTTP port 80 on Firewall's public IP address, translating it to HTTP port 80 of Private Endpoint IP address of Azure Storage Blob. Put Azure Storage Blob as anonymous access, disable public access, with private endpoint.

    With Azure Firewall DNAT rule, any reply traffic from Azure Storage Blob will go back to Azure Firewall. There will be no traffic initiated from Azure Storage Blob, all traffic will come from user -> App Gateway -> Azure Firewall -> Azure Storage Blob, and the reply traffic will traverse the same path, opposite direction.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 3,906 Reputation points Microsoft Employee
    2024-01-11T03:39:42.6366667+00:00

    Hi @GRAY Mike , I understand that you need to put Azure Firewall in front of an Application Gateway.

    The configuration is described here: Azure Application Gateway after Azure Firewall. However, why is there a requirement to put Azure Firewall before App Gateway? Note that Azure Firewall SNATs the incoming traffic, so the application will not have visibility to the original IP address of the HTTP requests.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.