vMX in Azure - should it/could it be behind an Azure Firewall?
I notice the deployment of the vMX into Azure associates an Azure Public IP address with the vMX/Managed Application.
Presumably it is this public IP address that is used for inbound and outbound vMX connectivity. This vMX is therefore on the perimiter of the Azure network directly exposed via a public ip address.
I have a couple of questions:
Is this considered best practice, or are they scenarios where one would want the vMX to sit behind an Azure Firewall (or third party firewall device)? I.e. so inbound azure traffic flows throught a firewall device before reaching the vMX. I ask this because some organizations may already have (or wish to have) an Azure Firewall at the perimeter of their Azure virtual network.
Is it even possible to make the vMX sit behind a firewall? For example, the deployment creates a managed application that contains a public ip address associated with the vmx VM. This suggests to me that you don't have much choice other than having it diretly exposed via the public ip address attached to the vMX VM (as opposed to forwarding traffic from an Azure Firewall to a private ip address associated with the vMX say).
Of course, if we were using the native Azure VPN Gateway (and not Cisco vMX say) then that would sit right at the perimeter. So it may be that it's the same principle with vMX, in which case that's fine. I really just need a view on this though to sanity check this.
When it has a single interface it can't act as a traditional firewall allowing traffic to flow between two ports BUT it is still a firewall in the sense that it is protected from threats, and you can directly connect it to the Internet (although that really isn't the case with Azure since Azure is NATing from the public IP it assigns to the private IP that it gives the VMX).