Azure Application Gateway is a platform-as-a-service that offers application delivery controller such layer 7 load balancing/routing capabilities and a web application firewall for many applications.
The following is a summarized list of features from the overview documentation
Design and configure an App Gateway in front of an Azure App Service Web App with following requirements:
- Protect common exploits and vulnerabilities by using the App Gateway’s Web Application Firewall.
- e.g. XSS and SQL injection attacks.
- Although web apps should be implemented to work against such attacks, the WAF is an added layer of mitigating that security risk.
- No network isolation using App Service Environment (ASE) due to its high costs (min. ~$1,200USD/month). Note: it is more secure to use ASE since the traffic between the app gateway and the azure web app is private.
- The App Service Web App only accepts traffic from the App Gateway and not directly to the Web App’s public endpoint (e.g. .azurewebsites.net).
- Http to Https redirect
- Implement multi-site routing so that additional web applications can be added to the app gateway.
I have used the following articles as guidance to support the above requirements.
- Configure App Service Web Apps with Application Gateway
- End to End SSL with Application Gateway and Azure Web Apps (10/2017)
- Configure redirection on Application Gateway with PowerShell
- Web application firewall (WAF)
- User and browser traffic is from public internet
- The App Gateway is associated to a VNET and its own specific subnet; but it has little or no value in this approach.
- The App Gateway has two listeners by hostname and rules to manage the traffic.
- The default Azure Web App hostname .azurewebsites.net is a public endpoint. Therefore, I believe the traffic between app gateway and web app is still over internet.
- Although App Gateway supports SSL offload, we can’t leverage this since we would want https/SSL secured traffic from App Gateway to the Azure Web App.
- For true network isolation within a virtual network among these Azure PaaS services, look towards using the App Service Environment. This is much more expensive.
The next blog post covers the key configuration settings of this design.