Protect your Web App using Azure Application Gateway Web Application Firewall
Web Application Firewall was always a big investment for a small or growing company as most of the top branded companies are charging a lot of money A Web Application Firewall protects your application from common web vulnerabilities and exploits like SQL Injection or Cross site scripting. Azure provides enterprise grade Web Application Firewall through the Application Gateway. It comes in two pricing models, Medium and Large. More about sizes and instances you can find here, and more about pricing here
We can add the Application Gateway Web Application Firewall to protect our Azure Web App (PaaS) and our Web Application inside a VMs web server (IaaS). At this post we will see how to protect them both.
One difference in order to fully protect the Azure Web App (PaaS) is to integrate the App Service to a Virtual Network (VNET). In order to integrate an App Service to a Virtual Network it requires a Standard, Premium, or PremiumV2 pricing plan and requires the Virtual Network to have a Virtual Network Gateway that is configured with Point to Site VPN.
First things first, create a VNET. The VNET must have at least two subnets. One subnet to deploy the Virtual Machine that we will use to publish an IIS Application and one dedicated for the Application Gateway WAF.
Once the VNET is created enable the Point-2-Site VPN. More details can be found here: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-point-to-site-vpn/
Create a Web App from Azure Portal. For more details check here: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-your-first-web-app/
Once the Web App is ready, go to Networking and select “Click here to configure”
Add VNET, select the VNET and press save
Then go back to the Networking blade of the App Service and go to Firewall in order to disable public access and allow only access from the VNET. To do this click the “Configure Access Restrictions”
create an allow IP Restriction and add the WAF’s IP. Once you create an Allow rule, all other access to the app service is restricted automatically. If you try to browse the public URL of the App Service it will return “Error 403 – This web app is stopped.”
Web Application Firewall
Lets create the Secure public entry point for our Web App. Create an application gateway, select WAF Tier, select the required SKU, add it to the WAF subnet we created before, select Public IP configuration and WAF enabled.
When the Application gateway is ready we need to do some configuration. First at the Backend pools, open the default created backend pool, select “App Service” and browse to the required web app.
Then add a health probe. For host add the FQDN of the Web App.
at the HTTP settings check the “Use for App service”
Add a rule to bind the Listener, Backendpool and HTTP settings
And that’s all. Now we can try our Web App from the Internet. In order to do so we need to browse to the Web App’s URL, that is now published by the Application Gateway, from the Internet. So, we need to create a Public DNS record to point the FQDN to the Application Gateway’s FQDN. In this case we need to crate a CNAME papwaf3app.funniest.gr to point to the 8b0510c1-47e9-4b94-a0ff-af92e4455840.cloudapp.net. In order to test the app right now we can just add a host file to our computer pointing to the Public IP Address of the application gateway and we can access the Web App behind the WAF.
In order to be able to see the Application Gateway and Web Application Firewall logs we need to turn on diagnostics. The easiest way to see the logs is by sending them to Log Analytics (OMS).
With the Firewall at “Detection” mode, if we try an SQL Injection (?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )–), the Web App still servers the landing page.
By switching the Firewall to “Prevention” mode, the same SQL injection attach stops by the WAF before accessing our Web App.
Protect an IaaS Web Application
To add a Web Application that runs inside a VM behind the Application Gateway Web Application Firewall, first add the VM as a Back End Pool. Create a new Backend Pool and select “Virtual Machine”. Select the Virtual Machine that runs the Web Application.
Then create a new probe adding the URL of the Web Application
next add HTTP settings and add custom probe the new created probe “vmsite”
Next step is to create two multi-site listeners, one for each host name
After the listener, add a Basic rule using the Listener, Backend Pool and HTTP settings we created for the VM Web Application,
Finally one extra step is to change the default rule1 to listen to the WeB App listener
Finally the Application Gateway Web Application Firewall provides secure access to both the Web App (PaaS) and the VM Web Application (IaaS)
Pantelis Apostolidis is a Cloud Solutions Architect at Microsoft and an ex Microsoft Azure MVP. For the last 15 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.