GitaraniSharma-MSFT
commented
2 years ago @shinojsn , thank you for your feedback. We'll review this and get back to you shortly!
Open shinojsn opened 2 years ago
GitaraniSharma-MSFT
commented
2 years ago @shinojsn , thank you for your feedback. We'll review this and get back to you shortly!
GitaraniSharma-MSFT
commented
2 years ago @shinojsn , I believe you have tagged the wrong doc and the correct doc is as below: https://docs.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall
Hence, I have updated the issue with the correct doc link.
GitaraniSharma-MSFT
commented
2 years ago @erjosito , could you please review this feedback and provide your insights?
erjosito
commented
2 years ago Hey @shinojsn , I already answered you per email, hopefully that clarified some of your questions regarding the IP addresses. About how non-HTTP traffic flows, I am hesitant to include additional diagrams, since non-HTTP(S) traffic is not the focus of this doc. Essentially, for non-HTTP(S) flows the Application Gateway is not in the data path, so it is the normal traffic flow as documented in the Azure Firewall documentation. If it is not clear, I could include some notes in each section explaining how non-HTTP(S) traffic works. Would that help?
shinojsn
commented
2 years ago Hello Jose
Thanks for your response, I appreciate if you could look into updating the documents for the following, especially as you mentioned explaining more on https and non-https traffic triaging 1) Document to highlight the where the traffic originates from ( For. Eg. from On-Prem or from Azure VM) 2) The design is to address Securing https and non-https traffic with WAF and Azure Firewall, It is quite vital to understand how both traffic patterns triages.(E.g. Based on the feedback from Philip, All https traffic from On-Prem, Urls for Azure app services should be resolving to App Gateway and then the App gateway (Listeners + rules) redirects the traffic to azure firewall using UDR). That part was missing in the document. 3) It will avoid some confusion if the visio can be updated.
Appreciate your help to update the documents as we struggled to find it out and hope no one may have the difficulty in future around the same concerns.
Once again thank you very much for looking into it and addressing the same
Thank you Shinoj
On Fri, 24 Sept 2021 at 19:21, Jose Moreno @.***> wrote:
Hey @shinojsn https://github.com/shinojsn , I already answered you per email, hopefully that clarified some of your questions regarding the IP addresses. About how non-HTTP traffic flows, I am hesitant to include additional diagrams, since non-HTTP(S) traffic is not the focus of this doc. Essentially, for non-HTTP(S) flows the Application Gateway is not in the data path, so it is the normal traffic flow as documented in the Azure Firewall documentation. If it is not clear, I could include some notes in each section explaining how non-HTTP(S) traffic works. Would that help?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/81512#issuecomment-926833699, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVYVU3D5HC45ONTAOWO2N73UDS6RXANCNFSM5EVSNLBQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
erjosito
commented
2 years ago I have created PR https://github.com/MicrosoftDocs/architecture-center-pr/pull/3802 (not sure if you have access to it, since it is in the private repo). The challenge is that it is a lot of different flows (5 scenarios, 4 flows for each), and I don't want to distract the user with topics that are covered elsewhere. Hence I added a brief (but potentially confusing) paragraph in each of the 5 scenarios with some words about each flow. Does this help?
shinojsn
commented
2 years ago Good Morning Jose,
I am unable to access the private link
Thanks Shinoj
On Wed, 29 Sept 2021 at 10:13, Jose Moreno @.***> wrote:
I have created PR MicrosoftDocs/architecture-center-pr#3802 https://github.com/MicrosoftDocs/architecture-center-pr/pull/3802 (not sure if you have access to it, since it is in the private repo). The challenge is that it is a lot of different flows (5 scenarios, 4 flows for each), and I don't want to distract the user with topics that are covered elsewhere. Hence I added a brief (but potentially confusing) paragraph in each of the 5 scenarios with some words about each flow. Does this help?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/81512#issuecomment-929995317, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVYVU3DFIQT63EI6VJCY7A3UELKFDANCNFSM5EVSNLBQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
erjosito
commented
2 years ago It has already been merged, so you can check the new paragraphs in the public link: https://docs.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway. I tried to keep them short, so that the focus stays on inbound HTTPS flows. Still, do they clarify your questions better?
shinojsn
commented
2 years ago Thank you very much Jose, can i please request to update the visio with correct Ip address if its not too much to ask. Everything else is perfect. Thank you
On Fri, 1 Oct 2021 at 12:31, Jose Moreno @.***> wrote:
It has already been merged, so you can check the new paragraphs in the public link: https://docs.microsoft.com/azure/architecture/example-scenario/gateway/firewall-application-gateway. I tried to keep them short, so that the focus stays on inbound HTTPS flows. Still, do they clarify your questions better?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/81512#issuecomment-932149192, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVYVU3BKL5STCSYMNRYHAFLUEWLYFANCNFSM5EVSNLBQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
erjosito
commented
2 years ago Can you be more specific about which diagram in particular and which IP address is wrong?
[Enter feedback here] Application Gateway before Firewall Model needs revision to the VISIO diagrams and the steps are missing how the Https traffic from On-Prem to Azure triages and differentiate with Non-https traffic reaching same resource (E.g. VM with IIS (443)and RDP (3389)access.
errors.docx
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.