Hi @GRAY Mike , I understand that you need to put Azure Firewall behind an Application Gateway, then from Azure Firewall, traffic goes to Azure Storage Blob (static website).
Let's break it down into 2 parts:
- Azure Firewall behind an App Gateway. There is no issue on this part, is there? App Gateway (with HTTPS listener, custom domain) -> HTTP Port 80 to Azure Firewall's public IP address.
- Azure Firewall in front of Azure Blob Storage (static website). Configure Azure Firewall with DNAT rule: receiving HTTP port 80 on Firewall's public IP address, translating it to HTTP port 80 of Private Endpoint IP address of Azure Storage Blob. Put Azure Storage Blob as anonymous access, disable public access, with private endpoint.
With Azure Firewall DNAT rule, any reply traffic from Azure Storage Blob will go back to Azure Firewall. There will be no traffic initiated from Azure Storage Blob, all traffic will come from user -> App Gateway -> Azure Firewall -> Azure Storage Blob, and the reply traffic will traverse the same path, opposite direction.