Hi, I’m designing a secure architecture for a web application hosted on Azure Kubernetes Service (AKS) and would appreciate insights on my current design and some specific questions I have.
Current Architecture Design
Ingress Traffic Flow
Clients → Azure Front Door Premium → Private Link → Internal Load Balancer → NGINX Ingress (AKS) → Pods
Security Features:
- WAF protection via Azure Front Door Premium
- DDoS protection
- Private Link connectivity
Egress Traffic Flow
AKS Pods → UDR Rules → Azure Firewall Premium (IDPS/TLS Inspection) → Internet
Questions & Considerations
1. Adding Azure Firewall to Ingress Path
I’m considering this alternative ingress flow:
Clients → Azure Front Door Premium → Azure Firewall Premium (Public IP + IDPS) → DNAT to Internal Load Balancer → AKS Cluster
Questions:
- Is this approach viable and does it provide meaningful security benefits?
- Do I need IDPS inspection for inbound web application traffic, or is WAF sufficient?
2. Secure Front Door to Firewall Connectivity
- How can I securely connect Azure Front Door to Azure Firewall’s public IP?
- I understand Private Link and NSG restrictions don’t apply here - are there other secure connection methods?
- What are the best practices for this type of connection?
3. Additional Security Measures
- Should I consider Azure Application Gateway in addition to or instead of some components?
- Are there other security controls I should implement to maximize the security posture?
- Any recommendations for defense-in-depth improvements?
Specific Goals
- Maximize security posture for production web application
- Implement defense-in-depth strategy
- Ensure proper traffic inspection and filtering
- Maintain performance and availability
Would appreciate any feedback on the architecture design, answers to my specific questions, or suggestions for additional security improvements.
Thanks in advance for your expertise!