You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/environment/firewall-integration.md
+16-3Lines changed: 16 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ ms.workload: na
11
11
ms.tgt_pltfrm: na
12
12
ms.devlang: na
13
13
ms.topic: article
14
-
ms.date: 03/12/2019
14
+
ms.date: 06/11/2019
15
15
ms.author: ccompy
16
16
ms.custom: seodec18
17
17
@@ -27,6 +27,21 @@ The ASE outbound dependencies are almost entirely defined with FQDNs, which do n
27
27
28
28
The solution to securing outbound addresses lies in use of a firewall device that can control outbound traffic based on domain names. Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination.
29
29
30
+
## System architecture
31
+
32
+
Deploying an ASE with outbound traffic going through a firewall device requires changing routes on the ASE subnet. Routes operate at an IP level. If you are not careful in defining your routes, you can force TCP reply traffic to source from another address. This is called asymmetric routing and it will break TCP.
33
+
34
+
There must be routes defined so that inbound traffic to the ASE can reply back the same way the traffic came in. This is true for inbound management requests and it is true for inbound application requests.
35
+
36
+
The traffic to and from an ASE must abide by the following conventions
37
+
38
+
* The traffic to Azure SQL, Storage and Event Hub are not supported with use of a firewall device. This traffic must be sent directly to those services. The way to make that happen is to configure service endpoints for those three services.
39
+
* Route table rules must be defined that send inbound management traffic back from where it came.
40
+
* Route table rules must be defined that send inbound application traffic back from where it came.
41
+
* All other traffic leaving the ASE can be sent to your firewall device with a route table rule.
42
+
43
+
![ASE with Azure Firewall connection flow][5]
44
+
30
45
## Configuring Azure Firewall with your ASE
31
46
32
47
The steps to lock down egress from your existing ASE with Azure Firewall are:
@@ -65,8 +80,6 @@ If your applications have dependencies, they need to be added to your Azure Fire
65
80
66
81
If you know the address range that your application request traffic will come from, you can add that to the route table that is assigned to your ASE subnet. If the address range is large or unspecified, then you can use a network appliance like the Application Gateway to give you one address to add to your route table. For details on configuring an Application Gateway with your ILB ASE, read [Integrating your ILB ASE with an Application Gateway](https://docs.microsoft.com/azure/app-service/environment/integrate-with-application-gateway)
67
82
68
-
![ASE with Azure Firewall connection flow][5]
69
-
70
83
This use of the Application Gateway is just one example of how to configure your system. If you did follow this path, then you would need to add a route to the ASE subnet route table so the reply traffic sent to the Application Gateway would go there directly.
0 commit comments