Azure Application gateway - is there any reason to keep Azure firewall BEHIND?

Question

I have Azure Application gateway in front of Azure API management and could see that in most of the scenarios available on the Internet has firewall in between the Azure Application gateway and Azure API management.

Being Azure Application gateway itself is a firewall, is there any reason to keep Azure firewall BEHIND it.

Answer 1

In general as a rule of thumb. Azure Firewall is for non-web incoming traffic and all outgoing traffic. App Gateway WAF is for incoming web traffic.

The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities.

Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Ref: Azure Firewall FAQ

As to diagrams that show both this explains it

Azure Firewall alone when there are no web applications in the virtual network.

Application Gateway alone when there are only web applications in the virtual network, and network security groups (NSGs) provide sufficient output filtering.

Azure Firewall and Application Gateway in parallel, the most common design, when you want Azure Application Gateway to protect HTTP(S) applications from web attacks, and Azure Firewall to protect all other workloads and filter outbound traffic.

Application Gateway in front of Azure Firewall when you want Azure Firewall to inspect all traffic and WAF to protect web traffic, and the application needs to know the client's source IP address.

Azure Firewall in front of Application Gateway when you want Azure Firewall to inspect and filter traffic before it reaches the Application Gateway.

ref: Azure Virtual Network security

Answer 2

Application Gateway has a WAF feature which is a layer 7 firewall. Since your Application is an API, you layer 7 firewall is more than enough. Also, you can enable DDOS to your VNET so if there is an attack on your Application Gateway's Public IP, then it is taken care by the DDOS protection plan.

Adding Azure firewall between Application Gateway and the APIM doesn't make much sense to me unless and until you want to control the outbound data sent by your APIM to Internet. Azure firewall has Application Security rules, where you can block sending traffic to certain sites or URL.

Regards, Msrini