I’ve recently deployed a solution for a customer hosting their ADFS and WAP servers in their Azure IAAS tenant and thought I’d share the experience.
Now I know there are many posts on setting up ADFS with WAP so I won’t repeat that here but I’ve not seen many that discuss the networking side and after all Microsoft’s whitepaper just shows the machines in “the cloud” but not how the networking is configured and good security practice dictates that we should restrict traffic to our external facing machines as much as possible as well as restricting their access to internal resources.
Now, in a vNet all subnets are fully route-able between each other so if the WAP is compromised to could gain access to other machines on the network and whilst this might not be too much of a problem (you do have Windows firewall turned on don’t you?) it’s best to replicate an on premise topology with WAP servers in a perimeter network and the ADFS servers safely on a secure internal network.
How do you do this? Well Network Security Groups of course! and whilst I posted a separate post on them in general I thought I’d share design I followed in this instance.
I created two separate Network Security Groups (DMZ_NSG and Internal_NSG) and applied them to their respective subnets, I then set about adding the new rules to restrict traffic as shown in the image above.