Can you place a Azure CloudGuard AppSec VMSS inline behind an Azure CloudGuard VMSS?
We have already installed a CloudGuard VMSS gateway at our customer site in Azure.
Now the customer wants either the Azure Application Gateway or CoudGuard AppSec to protect new to build web applications. We advice CoudGuard AppSec but our best practice is to have a small attack vector and want to place the CloudGuard Appsec behind the CloudGuard gateway.
Is that a feasible scenario? And do you know of any blueprints or examples like this?
Internet(clients) --> External Loadbalancer --> CloudGuard VMSS --> CloudGuard AppSec --> WebApp
Yes, it's supported; just one thing you need to take into consideration is that the AppSec is not going to see the original source IP address but the internal IP address of one of the CloudGuradd VMSS instances, "LocalGatewayInternal".
In order to distinguish between the users, you will need to use a different method than the source IP address.