With Azure Application Gateway v2 coming, a lot of new features have been added. Much faster deployment and change times, auto-scaling and the ability to assign different Web Application Firewall (WAF) policies per Application Gateway’s listener. This feature provides more control over each listener and also can limit the number of different Application Gateways you need to deploy. 

With a custom WAF policy we can control the firewall per listener (URL) with:

• Firewall mode, Prevention – Detection
• Request body properties
• WAF rule set category & version
• Custom Rules with If / Then conditions
  • Match IP address, Number, String, Geo location
  • Allow / Deny Traffic

This post scenario

We have on Azure Application Gateway with two Listeners (listens to two different URLs at its Public IP). The two listeners are forwarding the traffic to two different Web Apps, as shown at the below image.

My request is to allow all traffic to the first URL but allow traffic only from a specific IP to the second URL.

For the demo, I assume that you already have an Azure Application Gateway v2 in place and you have published two back ends (web apps, VMs, custom IP) and your web sites / apps are healthy and you can browse them behind the Application Gateway. 

Since I am using the default azurewebsites.net domain, I added two hosts at my workstation’s host file, in order to route the traffic to the Application Gateway’s IP and not directly to the Web Apps. 

I can browse both Web Apps, through the Application Gateway, from my browser. I am using http and not https for the demo since I am using the default domain and I cannot add a custom certificate.

We need to create two Web Application Firewall policies (WAF). One for each listener. To create  a WAF policy, search the Azure Portal for waf and click the “Web Application Firewall policies (WAF)”.

At the “Web Application Firewall policies (WAF)” page click +Add

At the Project details select “Regional WAF (Application Gateway)”. 

Select the Subscription that your Application Gateway resides, select Resource Group, add a name for the Policy and the same region as your Application Gateway. The policy must set to Enabled to apply. I named the policy URLNumber02 to start creating the policy for the second URL that I want the custom rule.

At the Policy Settings change the setting to Prevention from Detection and go to the Custom rules and Add custom rule

I named the rule “AllowOnlyOneIP”, since I want to allow only one IP to access the second URL (listener) of the gateway. Give a priority, I added 1 as it is the only one. At the conditions select:

• March Type: IP address
• Operation: Does not contain
• IP address or range: add the only IP that you want to allow access to the URL

At the “Then” condition, select “Deny Traffic”

This rule will allow traffic only of the IP is the IP address that we added to the condition. For all other IPs access will be denied.

Now that we created the policy, we need to assign it to the listener. At the next step of the WAF policy wizard we need to select the Application Gateway and the Listener.

First click the “Associate an application gateway” and select the Application Gateway. Remember that this policy will need to overwrite the default Application Gateway’s WAF policy. So before proceeding migrate your current WAF settings and customizations to the new WAF policy.

After you select the Application Gateway, associate the listener. I associate the “mylistener02” that is my second URL, with this policy.

After saving the policy, go to the Application gateway and check the “Web Application Firewall” settings. There you will see that all settings disappeared and you can only see that the gateway is associated with a WAF policy. We see that it is Associated to the URLNumber2 polily.

You need to create one more WAF rule for URL 01 for the correct functionality. Once you create a WAF policy and associate it to the other listener of the Application gateway, you will see that at the “Web application firewall” is associated to the new policy. Actually the Application gateway is associated to both WAF policies, one at each listener. You just cannot see this at the Azure Portal. 

We can see the WAF rules that are associated to the Application Gateway’s Listeners using the PowerShell. Running the “Get-AzApplicationGateway -Name AppGw01 -ResourceGroupName AppGw01” command you can see that the “URLNumber01” WAF policy is associated to the “mylistener” and the “URLNumber2” is associated to the “mylistener02”.

To test the policies, I tried to access both URLs from a computer that don’t have the Public IP that I added tot he policy and I can access the URL 1 app but I cannot access the URL 2 app. From the computer that has the Public IP we added at the rule, I can browse both sites. 

The WAF rules can be edited at the Web Application Firewall policies (WAF) blade and all settings will apply to the corresponding listener.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Application Gateway | WAF Policy per Listener appeared first on Apostolidis Cloud Corner.

Thank you all who attented my presentation at Sunday’s 29/3/2020 virtual Greek MVPs in Actions event.

My presentation was about the Azure Front Door Service and how you can use it to accelerate and protect your web applications.

You can view my presentation here

And you can see my video at my Youtube channel

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Greek MVPs in Action | Accelerate your web applications with Azure Front Door appeared first on Apostolidis Cloud Corner.

Create the WAF Rule

From the Azure Marketplace search for WAF and create a Web Application Firewall

At the “Create a WAF policy” wizard select “Global WAF (Front Door) for policy, provide the subscription and resource group, give a name for the policy and select if you want it to be created enabled or disabled.

At the next step select if the policy will prevent the action or just detect and report it. You can change this later too. You can provide a Redirect URL for rules that support redirection. The default status code is 403 but we can change it to e.g. 404. We can also add a custom response body.

The next step is the rule. We can select one or more predefined rule sets and then customize at will.

To customize, expand the rule set and select a rule. You can enable / disable the rule and you can change the action to Allow, Block, Lod or Redirect.

WAF Custom Rule

The next step is the custom rules. There’s a lot to customise here. First are the rule type settings. Select status of the rule, enabled or disabled. Select the Rule type between Match and Rate limit. If you select rate limit you will be prompt to set rate limit and threshold. The final rule tupe setting is to set the priority of the rule.

Next is the Conditions (If this) and the action (then that).
The condition can be Geolocation, IP address, Size or String. After selecting the Match Type the rest options are altered accordingly.

The action can be Allow traffic, Deny traffic, Log traffic only or Redirect traffic

For the demo I created a rule that will Deny all traffic from The Netherlands, because I can test it from an Azure VM located at the West Europe Region.

The next step is to associate the rule to the Front Door. After that assign Tags if needed and create the rule.

Once the Rule is ready, a “Front Door WAF policy” resource will be at the selected Resource Group.

Inside the Front Door, at the Web application firewall section, you can review the assigned rules.

The below diagram shows the current setup. The user cannot access the Azure Web Apps directly, only through the Front Door and the requests are filtered by WAF rules.

Test 1

From an Azure VM at West Europe Region, I tried to access the Front Door’s URL and we can see my custom 403 body text!

Test 2

From my Computer I tested a typical SQL Injection attack from https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) . Again my custom 403 page!

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Use Web Application Firewall (WAF) Rules with the Front Door to protect your app appeared first on Apostolidis Cloud Corner.

At my previous posts we have seen how to Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. At this post I want to share some tips on how to configure the Azure Web Application Firewall.

The Azure Web Application Firewall, like all WAFs, needs a period of detection “the training period”, in order to gather logs about what is logged as blocked so to configure it accordingly before turning the WAF to Prevention mode. The Azure Web Application Firewall uses OWASP ModSecurity Core Rule Set (CRS). You can select version 2.2.9 or version 3.0 of the OWASP ModSecurity Core Rule Set. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.

The configuration of the Azure Web Application Firewall has two parts. One part is the OWASP rules custom configuration, where we can check / uncheck the OWASP rules that the WAF will use to analyse the requests:

and the second part is the Exclusions and the Request Size Limits:

Let’s see how we can find out what to exclude and what to customize. Once you setup the Azure Application Gateway and Publish your web application turn of the Firewall in Detection mode. Enable the Diagnostic Logs and send the logs to Log Analytics and start using the we application. I have covered all those steps at my previous posts, Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. To make it more fun you can actually attack your application using sample attacks, like SQL Injection samples from this link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) and Cross-site Scripting (XSS) from this link: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) . Both links are from OWASP for testing.

After a while run the query to check the Azure Web Application Firewall logs:

AzureDiagnostics | where Resource == "PROWAF" and OperationName == "ApplicationGatewayFirewall" | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s

You will get the below results:

At the Message part of the Log you will see the kind of attack that the WAF has detected.

At the ruleId_s you can find the OWASP rule ID. With this information you can search the Rule ID at the Advanced rule configuration and uncheck the specific rule. Of course every rule you uncheck you open a security hole. So I recommend to first check if you can alter your application to comply with the rule and only if this is not possible to drop the rule.

At the details_message_s column also you can find the matched pattern and configure the Exclusions

Finally you can configure the request size limits according to your application

Once you finalize your Azure Application Firewall configuration and you no longer have “Blocked” messages change it to “Prevention” mode to start protecting your web application.

Reference:
WAF Overview: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
WAF Configuration: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration
OWASP ModSecurity Core Rule Set (CRS): https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Configure The Azure Web Application Firewall appeared first on Apostolidis Cloud Corner.

A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/

Use Log Analytics to Query the WAF Logs

The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.

AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s

You can save the query by clicking the Save button and give it a name and a Category.

We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/

Create a Logic App

From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”

At the Logic App creation wizard add Name, subscription, resource group, location and press Create

Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.

Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”

search for “log analytics” and select the “Run query and visualize results”

I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.

After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”

search for “sendgrid” and select the “Send email (V2)”

Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/

Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.

Press Save to save the Flow and Run to test it.

The result at my email:

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Serverless Computing | Email Report Azure WAF Logs appeared first on Apostolidis Cloud Corner.

Web Application Firewall was always a big investment for a small or growing company as most of the top branded companies are charging a lot of money  A Web Application Firewall protects your application from common web vulnerabilities and exploits like SQL Injection or Cross site scripting. Azure provides enterprise grade Web Application Firewall through the Application Gateway. It comes in two pricing models, Medium and Large. More about sizes and instances you can find here, and more about pricing here

We can add the Application Gateway Web Application Firewall to protect our Azure Web App (PaaS) and our Web Application inside a VMs web server (IaaS). At this post we will see how to protect them both.

One difference in order to fully protect the Azure Web App (PaaS) is to integrate the App Service to a Virtual Network (VNET). In order to integrate an App Service to a Virtual Network it requires a Standard, Premium, or PremiumV2 pricing plan and requires the Virtual Network to have a Virtual Network Gateway that is configured with Point to Site VPN.

Virtual Network

First things first, create a VNET. The VNET must have at least two subnets. One subnet to deploy the Virtual Machine that we will use to publish an IIS Application and one dedicated for the Application Gateway WAF.

Once the VNET is created enable the Point-2-Site VPN. More details can be found here: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-point-to-site-vpn/ 

Web App

Create a Web App from Azure Portal. For more details check here: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-your-first-web-app/

VNet Integration

Once the Web App is ready, go to Networking and select “Click here to configure”

Add VNET, select the VNET and press save

Then go back to the Networking blade of the App Service and go to Firewall in order to disable public access and allow only access from the VNET. To do this click the “Configure Access Restrictions”

create an allow IP Restriction and add the WAF’s IP. Once you create an Allow rule, all other access to the app service is restricted automatically. If you try to browse the public URL of the App Service it will return “Error 403 – This web app is stopped.”

Web Application Firewall

Lets create the Secure public entry point for our Web App. Create an application gateway, select WAF Tier, select the required SKU, add it to the WAF subnet we created before, select Public IP configuration and WAF enabled.

When the Application gateway is ready we need to do some configuration. First at the Backend pools, open the default created backend pool, select “App Service” and browse to the required web app.

Then add a health probe. For host add the FQDN of the Web App.

at the HTTP settings check the “Use for App service”

Add a rule to bind the Listener, Backendpool and HTTP settings

And that’s all. Now we can try our Web App from the Internet. In order to do so we need to browse to the Web App’s URL, that is now published by the Application Gateway, from the Internet. So, we need to create a Public DNS record to point the FQDN to the Application Gateway’s FQDN. In this case we need to crate a CNAME papwaf3app.funniest.gr to point to the 8b0510c1-47e9-4b94-a0ff-af92e4455840.cloudapp.net. In order to test the app right now we can just add a host file to our computer pointing to the Public IP Address of the application gateway and we can access the Web App behind the WAF.

Logging

In order to be able to see the Application Gateway and Web Application Firewall logs we need to turn on diagnostics. The easiest way to see the logs is by sending them to Log Analytics (OMS).

With the Firewall at “Detection” mode, if we try an SQL Injection (?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )–), the Web App still servers the landing page.

By switching the Firewall to “Prevention” mode, the same SQL injection attach stops by the WAF before accessing our Web App.

Protect an IaaS Web Application

To add a Web Application that runs inside a VM behind the Application Gateway Web Application Firewall, first add the VM as a Back End Pool. Create a new Backend Pool and select “Virtual Machine”. Select the Virtual Machine that runs the Web Application.

Then create a new probe adding the URL of the Web Application

next add HTTP settings and add custom probe the new created probe “vmsite”

Next step is to create two multi-site listeners, one for each host name

After the listener, add a Basic rule using the Listener, Backend Pool and HTTP settings we created for the VM Web Application,

Finally one extra step is to change the default rule1 to listen to the WeB App listener

Finally the Application Gateway Web Application Firewall provides secure access to both the Web App (PaaS) and the VM Web Application (IaaS)

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Protect your Web App using Azure Application Gateway Web Application Firewall appeared first on Apostolidis Cloud Corner.