Hello @Mohamed Elashkr ,
Apologies for the delay in response.
I understand that you would like to implement a Hub-Spoke architecture with Azure Firewall being deployed in Hub and Application Gateway in Spoke. And the incoming requests should be routed by Azure Front Door to Application gateway in spoke Vnet via the Azure Firewall in Hub Vnet.
I discussed this scenario with the Product Group team and below is their response:
This is not a common use case. Not sure why Azure Firewall is preferred instead of using Azure Front Door WAF or Application Gateway WAF unless you have a specific L3/L4 traffic filtering use case.
While we have not tried routing requests from Azure Front Door to Azure Firewall as backend, it should be possible.
We’d ask to try out the following and see if the requests are being routed correctly:
- Set up an Azure Front Door profile.
- While adding an origin, choose “Custom” as the origin type.
- Under hostname give the public IP address of the Azure Firewall.
Then you can refer the below doc on how to configure Application Gateway after Azure firewall:
https://video2.skills-academy.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-after-firewall
You need to configure DNAT rules to make sure that the Azure Firewall will DNAT (and SNAT) the packets to the private IP address of the Application Gateway. Standard VNet routing will make sure that return traffic from the Azure VMs goes back to the Application Gateway, and from the Application Gateway to the Azure Firewall if DNAT rules were used.
To integrate your ILB App Service Environment with the Azure Application Gateway, please refer below doc:
https://video2.skills-academy.com/en-us/azure/app-service/environment/integrate-with-application-gateway
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.