Nutshell Series

πŸ›‘οΈ Setting Up a DMZ in Azure: Approaches & Best Practices

Manjunath

A DMZ (Demilitarized Zone) in Azure is a network security boundary where incoming and outgoing internet traffic is inspected and controlled before reaching backend workloads. Unlike on-premises, Azure provides multiple virtualized patterns to achieve the same security principles.

1. DMZ with Azure Firewall (Recommended)

  • Place an Azure Firewall in a Hub VNet (DMZ subnet).
  • All inbound/outbound traffic flows through the firewall.
  • Use DNAT for inbound internet traffic (public IP β†’ private workload).
  • Use SNAT for outbound traffic to hide internal IPs.
  • Combine with Application Gateway (WAF) for L7 protection.

Use case: Centralized security, enterprise landing zones, compliance-heavy apps.

2. DMZ with Network Virtual Appliances (NVA)

  • Deploy 3rd party firewalls (Fortinet, Palo Alto, CheckPoint, Cisco ASA) in a DMZ subnet.
  • NVAs provide advanced features like IPS/IDS and SSL inspection.
  • Route internet traffic β†’ NVA β†’ internal VNets.
  • Requires high availability setup (at least 2 NVAs).

Use case: Enterprises with existing firewall vendor lock-in or advanced packet inspection needs.

3. DMZ using Application Gateway + WAF

  • Use Azure Application Gateway (AGW) with WAF as the public-facing endpoint.
  • Only web workloads (HTTP/HTTPS) are exposed.
  • AGW forwards traffic to backend workloads in private VNets.
  • Can be combined with Azure Firewall for layered security.

Use case: Web applications needing L7 security and SSL offloading.

4. DMZ with Bastion Host for Admin Access

  • Use Azure Bastion instead of exposing RDP/SSH via public IPs.
  • Admins log in securely through the Azure Portal over SSL.
  • No inbound ports (22/3389) exposed to the internet.

Use case: Secure administration of VMs without VPN.

5. DMZ in Hub-and-Spoke Architecture

  • Hub VNet = DMZ containing Azure Firewall, Bastion, VPN/ExpressRoute Gateway.
  • Spoke VNets = Workloads such as apps, databases, and services.
  • Internet and on-prem traffic always flows through the Hub (DMZ).

Use case: Enterprise-scale setups with centralized governance.

6. DMZ with Azure Front Door + WAF

  • Use Azure Front Door (AFD) as the global edge entry point.
  • Provides DDoS protection, WAF, SSL offloading, and global load balancing.
  • AFD forwards traffic β†’ App Gateway/Azure Firewall β†’ backend workloads.

Use case: Global apps needing low latency, DDoS protection, and CDN caching.

πŸ”’ Best Practices for Azure DMZ

  • Enable Azure DDoS Protection on the VNet hosting the DMZ.
  • Use NSGs (Network Security Groups) for subnet-level filtering.
  • Apply User Defined Routes (UDRs) to force traffic through Firewall/NVA.
  • Keep the DMZ in its own subnet, separate from workloads.
  • Log all DMZ traffic to Azure Monitor / Sentinel for auditing.

βœ… Summary

  • Modern cloud-native apps: Azure Firewall + Application Gateway (WAF).
  • Web-only apps: Application Gateway WAF or Front Door WAF.
  • Legacy lift-and-shift: NVAs replicate on-prem firewall policies.
  • Enterprise landing zones: Hub-and-Spoke with DMZ hub.

Leave a comment