我在 Azure API 管理前面有 Azure 应用程序网关,并且可以看到,在 Internet 上的大多数可用方案中,Azure 应用程序网关和 Azure API 管理之间都有防火墙。
由于 Azure 应用程序网关本身就是一个防火墙,是否有任何理由将 Azure 防火墙置于其后面。
最佳答案
一般来说,这是一个经验法则。 Azure 防火墙适用于非 Web 传入流量和所有传出流量。应用程序网关 WAF 用于传入网络流量。
The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities.
Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
至于显示这两者的图表,这解释了它
Azure Firewall alone when there are no web applications in the virtual network.
Application Gateway alone when there are only web applications in the virtual network, and network security groups (NSGs) provide sufficient output filtering.
Azure Firewall and Application Gateway in parallel, the most common design, when you want Azure Application Gateway to protect HTTP(S) applications from web attacks, and Azure Firewall to protect all other workloads and filter outbound traffic.
Application Gateway in front of Azure Firewall when you want Azure Firewall to inspect all traffic and WAF to protect web traffic, and the application needs to know the client's source IP address.
Azure Firewall in front of Application Gateway when you want Azure Firewall to inspect and filter traffic before it reaches the Application Gateway.
关于Azure 应用程序网关 - 有什么理由让 Azure 防火墙落后?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64173906/