Azure Security Architecture Design - Need Expert Guidance

Azure Security Architecture Design - Need Expert Guidance

Hi, I'm designing a secure architecture for a web application hosted on Azure Kubernetes Service (AKS) and would appreciate insights on my current design and some specific questions I have.

Current Architecture Design

Ingress Traffic Flow

Clients → Azure Front Door Premium → Private Link → Internal Load Balancer → NGINX Ingress (AKS) → Pods

Security Features:

WAF protection via Azure Front Door Premium

DDoS protection

Private Link connectivity

Egress Traffic Flow

AKS Pods → UDR Rules → Azure Firewall Premium (IDPS/TLS Inspection) → Internet

Questions & Considerations

1. Adding Azure Firewall to Ingress Path

I'm considering this alternative ingress flow:

Clients → Azure Front Door Premium → Azure Firewall Premium (Public IP + IDPS) → DNAT to Internal Load Balancer → AKS Cluster

Questions:

Is this approach viable and does it provide meaningful security benefits?

Do I need IDPS inspection for inbound web application traffic, or is WAF sufficient?

2. Secure Front Door to Firewall Connectivity

How can I securely connect Azure Front Door to Azure Firewall's public IP?

I understand Private Link and NSG restrictions don't apply here - are there other secure connection methods?

What are the best practices for this type of connection?

3. Additional Security Measures

Should I consider Azure Application Gateway in addition to or instead of some components?

Are there other security controls I should implement to maximize the security posture?

Any recommendations for defense-in-depth improvements?

Specific Goals

Maximize security posture for production web application

Implement defense-in-depth strategy

Ensure proper traffic inspection and filtering

Maintain performance and availability

Would appreciate any feedback on the architecture design, answers to my specific questions, or suggestions for additional security improvements.

Thanks in advance for your expertise!