search

davidobrien1985 / davidobrien1985.github.io

1 stars 0 forks source link

Azure Front Door #7

Open davidobrien1985 opened 5 years ago

SWGElyyyji commented 5 years ago

Hi David,

Thank you for the good article about Azure Front Door. Maybe I´m stupid but I'm evaluating Front Door and can't find a hint how to connect Front Door with WAF enabled to an Azure Firewall Hub and route requests to PaaS backends. Do I have to work with the application gateway additionally?

Thanks

Steven

davidobrien1985 commented 5 years ago

Hi @SWGElyyyji ,

thanks for leaving a comment. The documentation on this is a bit minimalistic at the moment, yes. Do you mean something like what I explained in the article?

Azure Front Door -> Azure Firewall -> application (VMSS, App Service, Function)

The way we achieved this is by configuring Firewall to do a DNAT to the backend PaaS service (VMSS in our case).

So the firewall public address translates to the private address of the VMSS load balancer. Front Door will route requests to the Firewall in each region.

Hope that helps, David

brreisner commented 4 years ago

Awesome post, I'm struggling with this very scenario currently with the Azure fast track team but with providing SSL communication from Front Door - - > App Gateway then simply http from App Gateway to backend.

I understand that front door does a certificate name check against the hostname listed in the backend pool, and that in order for this to work it must be a different domain than the incoming front end host on front door that is publicly resolvable for which we have a certificate. What I'm not clear on is how to achieve this with say 30 domains behind an app Gateway, I would hope I would not need a custom proxy domain per listener and instead could configure a default ssl listener for which I would use as the backend pool host for all backends simply to establish an ssl connection, then include the unique app Gateway domain listener name in the host header field.

Even though your scenario is somewhat different I think the logic will still apply. So I am curious how you handled having multiple domains behind the firewall fronted via front door, and what your bindings per site looked like to achieve this. Again hoping for a scenario where we only need a single interim / proxy domain simply to establish the SSL communication for all backend domains.

Hopefully that all makes sense, would very much like to discuss further if there is any ambiguity as I am having a hard time finding much in the topic until I came across your post. I will be testing this further but wanted to get this questioned posted and hear more on your experience. Very helpful, keep up the good work!