Protecting Azure App Service with Azure Application Gateway Part 1: Design

On By Roy Kim (MVP)In Azure, Azure PaaS

Azure Application Gateway is a platform-as-a-service that offers application delivery controller such layer 7 load balancing/routing capabilities and a web application firewall for many applications.

The following is a summarized list of features from the overview documentation

  • Web application firewall
  • HTTP load balancing
  • Cookie-based session affinity
  • Secure Sockets Layer (SSL) offload
  • End to End SSL
  • Multi-site routing
  • Health monitoring
  • SSL Policy and Ciphers
  • Request redirect
  • Multi-tenant back-end support
  • Advanced diagnostics
  • Websocket support

Objective

Design and configure an App Gateway in front of an Azure App Service Web App with following requirements:

  1. Protect common exploits and vulnerabilities by using the App Gateway’s Web Application Firewall.
    1. e.g. XSS and SQL injection attacks.
    2. Although web apps should be implemented to work against such attacks, the WAF is an added layer of mitigating that security risk.
  2. No network isolation using App Service Environment (ASE) due to its high costs (min. ~$1,200USD/month). Note: it is more secure to use ASE since the traffic between the app gateway and the azure web app is private.
  3. The App Service Web App only accepts traffic from the App Gateway and not directly to the Web App’s public endpoint (e.g. .azurewebsites.net).
  4. Http to Https redirect
    1. e.g. http://www.rkim.ca would redirect to https://www.rkim.ca
    2. Without this, the web app has to handle the redirect.
  5. Implement multi-site routing so that additional web applications can be added to the app gateway.

I have used the following articles as guidance to support the above requirements.

Design
AzureAppGatewayDesign

  • User and browser traffic is from public internet
  • The App Gateway is associated to a VNET and its own specific subnet; but it has little or no value in this approach.
  • The App Gateway has two listeners by hostname and rules to manage the traffic.
  • The default Azure Web App hostname .azurewebsites.net is a public endpoint. Therefore, I believe the traffic between app gateway and web app is still over internet.
  • Although App Gateway supports SSL offload, we can’t leverage this since we would want https/SSL secured traffic from App Gateway to the Azure Web App.
  • For true network isolation within a virtual network among these Azure PaaS services, look towards using the App Service Environment. This is much more expensive.

The next blog post covers the key configuration settings of this design.

2 thoughts on “Protecting Azure App Service with Azure Application Gateway Part 1: Design

  1. Pingback: Protecting Azure App Service with Azure Application Gateway Part 2: Configuration – Roy Kim on Azure, SharePoint, BI, Office 365

  2. Pingback: Penetration Testing Your Web App with Azure Application Gateway WAF Part 1: Intro – Roy Kim on Azure, Office 365 and SharePoint

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s