Azure 应用程序网关 - 是否有任何理由让 Azure 防火墙落后?
Azure Application gateway - is there any reason to keep Azure firewall BEHIND?
我在 Azure API 管理前面有 Azure 应用程序网关,可以看到在 Internet 上可用的大多数场景中,Azure 应用程序网关和 Azure API 管理之间都有防火墙。
作为 Azure 应用程序网关本身就是一个防火墙,有什么理由让 Azure 防火墙落后于它。
应用程序网关具有 WAF 功能,它是第 7 层防火墙。由于您的应用程序是 API,您的第 7 层防火墙绰绰有余。此外,您可以为您的 VNET 启用 DDOS,这样如果您的应用程序网关的 Public IP 受到攻击,那么 DDOS 保护计划就会处理。
在应用程序网关和 APIM 之间添加 Azure 防火墙对我来说没有多大意义,除非你想要控制 APIM 发送到 Internet 的出站数据。 Azure 防火墙具有应用程序安全规则,您可以在其中阻止向某些站点或 URL.
发送流量
此致,
姆斯里尼
一般来说,根据经验。 Azure 防火墙用于 non-web 传入流量和所有传出流量。 App Gateway WAF 用于传入的 Web 流量。
The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities.
Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
至于显示这两者的图表就说明了这一点
Azure Firewall alone when there are no web applications in the virtual network.
Application Gateway alone when there are only web applications in the virtual network, and network security groups (NSGs) provide sufficient output filtering.
Azure Firewall and Application Gateway in parallel, the most common design, when you want Azure Application Gateway to protect HTTP(S) applications from web attacks, and Azure Firewall to protect all other workloads and filter outbound traffic.
Application Gateway in front of Azure Firewall when you want Azure Firewall to inspect all traffic and WAF to protect web traffic, and the application needs to know the client's source IP address.
Azure Firewall in front of Application Gateway when you want Azure Firewall to inspect and filter traffic before it reaches the Application Gateway.
我在 Azure API 管理前面有 Azure 应用程序网关,可以看到在 Internet 上可用的大多数场景中,Azure 应用程序网关和 Azure API 管理之间都有防火墙。
作为 Azure 应用程序网关本身就是一个防火墙,有什么理由让 Azure 防火墙落后于它。
应用程序网关具有 WAF 功能,它是第 7 层防火墙。由于您的应用程序是 API,您的第 7 层防火墙绰绰有余。此外,您可以为您的 VNET 启用 DDOS,这样如果您的应用程序网关的 Public IP 受到攻击,那么 DDOS 保护计划就会处理。
在应用程序网关和 APIM 之间添加 Azure 防火墙对我来说没有多大意义,除非你想要控制 APIM 发送到 Internet 的出站数据。 Azure 防火墙具有应用程序安全规则,您可以在其中阻止向某些站点或 URL.
发送流量此致, 姆斯里尼
一般来说,根据经验。 Azure 防火墙用于 non-web 传入流量和所有传出流量。 App Gateway WAF 用于传入的 Web 流量。
The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities.
Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
至于显示这两者的图表就说明了这一点
Azure Firewall alone when there are no web applications in the virtual network.
Application Gateway alone when there are only web applications in the virtual network, and network security groups (NSGs) provide sufficient output filtering.
Azure Firewall and Application Gateway in parallel, the most common design, when you want Azure Application Gateway to protect HTTP(S) applications from web attacks, and Azure Firewall to protect all other workloads and filter outbound traffic.
Application Gateway in front of Azure Firewall when you want Azure Firewall to inspect all traffic and WAF to protect web traffic, and the application needs to know the client's source IP address.
Azure Firewall in front of Application Gateway when you want Azure Firewall to inspect and filter traffic before it reaches the Application Gateway.