How do I NAT multiple hosts on port 443 or80 behind cloud guard azure firewall?
As a standard practice I am deploying vsec firewall in Azure with 1 Vnet and 4 subnets
10.1.3.0/24 Web Servers
What I understood from documents is
I need to put a route for 10.1.3.0 on Firewall and define UDR on Azure portal for outbound traffic. Now since I have around 4 web servers in 10.1.3.x network; I guess we are natting all those servers behind 10.1.1.x subnet or behind firewall IP address.
In this case my original destination would 10.1.1.10 [Firewall external IP] and xlate destination IP is 10.1.3.10 [web server]
If the next server then can I use 10.1.1.20:443 [virtual IP from pool] and nat with 10.1.3.20:443 by adding proxy arp for 10.1.1.20 on firewall?
look at the Cluster HA for Azure admin guide:
from step 6.
you need to use the External LB to publish applications / web sites.
it involves some NAT rules and also allows you to have multiple Public IP addresses which can be used per application.
Related to this question, the Frontend-lb, and its Public IP, if we are not doing any publishing is there any reason they cannot be deleted, from studying the HA guides and SK's the only purpose is for inbound publishing?
Customer has a external WAF which is pointed to CNAME or IP address of the servers. I am little confused how CG Cluster would fit here for Inbound filtering for those servers? If in case Inbound traffic is routed through CG Azure cluster?
you can put the application Gateway / WAF in front of the Cluster instead of the Frontend LB.
I did it one time and the Application Gateway monitored the Servers through the Cluster.
I don't really like this design because the WAF does all the work with HTTP/S traffic and we are only seeing HTTP/S traffic coming from it, after it was already scanned by the WAF so we are only doing access control.