There are a lot of questions asked when you try to convince a customer to setup their on premise unbreakable DMZs on Azure or any other public cloud. The IT teams especially are very particular and a lot skeptical about it being done on a Cloud environment.

I could think of Times they are A-Changin’ (Bob Dylan) playing in my head when I had to start with setting up something like the above for a customer recently. Obviously, I was super excited and I knew this is a challenge which is going to be a worthy one.

So, before I begin, I will share what I ended up staring at eventually:


For the lack rights to paste my a Visio diagram, and my ability to draw on Word, this is as close I could project how a 3 year old would draw once he saw a Visio diagram. So, the setup:

  • If you really want those traffic logs, then you need a Firewall sitting out in the front. We used Checkpoint from Azure market place. For obvious reasons, we needed a multi-NIC setup and we chose to have separate subnets for the Checkpoint NICs.
  • The traffic from the Web/App servers was forced through Checkpoint through Azure User defined Routing, which works great, but is only PowerShell for now. The App subnets were forwarding the traffic through the backend NIC of Checkpoint.
  • Now the interesting bit, why the NSGs on the front-end to Back-end subnet communications. Well, it’s up to the customers’ requirements, but in our case we were not so interested in collecting the backend communication logs, so spare the UDR through checkpoint for the backend communication.
  • The obvious checkpoint configuration needs to be done.
  • Multiple Public IPs for Checkpoint.


  • Currently the Marketplace Firewalls on Azure don’t support HA. We are hopeful the set of requirements will be met in Azure very soon.
  • No NSG logging as of today.
  • No NSG URL based rules as of today.
  • The current limit for Azure public IPs is 5, we were happy with 3 but you may not.
  • It’s all through PowerShell J.
  • It can take a while !.