How to Configure Web Application Firewall (WAF) with Azure Application Gateway?

Many widely used web development platforms, including PHP and ASP, as well as database engines used by applications at the back end have known security flaws that attackers use to exploit the application. Most attacks can be prevented at the code level. But this requires high maintenance, patching, and monitoring at multiple layers of the application. Deploying a web application firewall (WAF) in front of the server is a much simpler solution to block common attacks.

Azure Web Application Firewall on Azure Application Gateway is a cloud-native service that provides centralized protection to web applications from common attacks and web vulnerabilities, including SQL injection and cross-site scripting. Let us explore how to configure Web Application Firewall (WAF) with Azure Application Gateway and understand its features and benefits.

Why Use Azure Web Application Firewall?

Azure Application Gateway is a web traffic load balancer that provides an IP address (front-end) to application users and routes requests to the appropriate back end in the backend pool that could include app services, virtual machines (VM), virtual machine scale sets, or even other IP addresses. Deploying Azure Web Application Firewall (WAF)with Azure Application Gateway improves protection for web applications against common vulnerabilities and simplifies management with an easy-to-configure central location. Here are the benefits of using WAF on the Application Gateway.

• A single Azure Web Application Firewall can protect up to 40 websites hosted on the Application Gateway.
• WAF Policy having custom rules can be associated with individual sites to protect applications without modifying the back-end code for any application.
• It protects from a wide range of attacks, including malicious bots, and can be monitored in real-time using Azure Monitor.
• It can be configured, deployed, and managed using the Azure Portal, REST APIs, PowerShell, and CLI, and is integrated with Azure Security Center that provides a central view of the security state of all Azure resources.

What Are the Features of the Azure Web Application Firewall?

Here are some of the features of the Azure Web Application Firewall.

• Protects against crawlers and scanners, SQL and command injection, cross-site scripting, HTTP protocol violations, and anomalies, and other common web attacks.
• Detects application misconfigurations.
• Supports configurable request size limits and custom rules, exclusion lists, and geo-filtration of traffic.
• Inspects JSON and XML in the request body.

How to Deploy Azure Web Application Firewall (WAF) with Azure Application Gateway?

Creating an application gateway with Azure Web Application Firewall involves assigning listeners to ports, creating rules, and adding resources to a backend pool. Here is the procedure for using Azure WAF in a simple setup with a public front-end IP, a listener to host a single site on the application gateway, two VMs in the backend pool, and a basic request routing rule.

• Create a resource for the Application Gateway in Azure Portal.
• Ensure that you select WAF V2 in the “Tier” dropdown on the Basics tab.
• Create two subnets, one for the application gateway instance, and another for the backend servers (virtual machines) in an Azure Virtual Network.
• Leave the default values for the other settings and then proceed to the Frontends tab.
• Provide a public IP address name for the application gateway and switch to the Backends tab.
• Create a backend pool with no targets as they will be created after creating the application gateway.
• Add a routing rule in the configuration tab to connect the frontend and backend pool.
• Complete the deployment by clicking on Create in the Review + create tab.
• Create two virtual machines in the same Resource Group that will be used for deploying the WAF. Install IIS on them to verify that Azure has successfully created the application gateway.
• Switch to the Backend pool and add the two newly created virtual machines in the Targets dropdown.
• Create your WAF Policy as a separate object and associate it with the Application Gateway from the Associated Application Gateways tab.
• To test whether Azure successfully created the application gateway, copy the public IP address, and paste it on a browser. A valid response should be returned to confirm that the application gateway connects with the backend.

Apps4Rent Can Help in Hosting and Securing Web Applications on Azure

While using Web Application Firewall (WAF) with Azure Application Gateway is one of the simplest and most robust solutions to protect web applications from malicious attacks, there are other services such as Azure Firewall, Azure ExpressRoute, and Azure Network Security Group that have overlapping capabilities. The choice of Azure service to be used depends on the workload to be protected.

As a Tier 1 Microsoft CSP, Apps4Rent provides managed Azure services for modernizing applications. Contact our Microsoft certified experts, available 24/7 via phone, chat, and email for consultations.