AKS WAF and Application routing guidance

Hello,

Newer to AKS. Our company is currently looking to start using AKS for container orchestration to speed up deployment of applications. Today applications are deployed as app services. Some are externally facing and some are routed through a PA firewall hosted in the Azure tenant. There is a hope to implement WAF capabilities when deploying the architecture for AKS. Also today, we do not use multi-region but there is a potential that could (and should) be a need in the future. With that being said, what would be a recommended network architecture for inbound network traffic flow to an AKS cluster:

1) Deploy Azure Front Door with PLS to an NGINX ingress Controller with private IP

2)Deploy Azure Front Door to Azure App gateway for Containers with PLS

3) Deploy Azure App Gateway for Containers with WAF (Concern would be what would you use for WAF traffic for non AKS)

4) Deploy App Gateway with WAF

Looking for input on the right architecture here. Thanks.

​