Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.
In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.
Learning Objectives
- Configuring detection or prevention mode
- Implementing a WAF policy
- Associating a WAF policy
- Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
- Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined
Intended Audience
- System administrators with responsibilities for managing web applications
- Security professionals responsible for securing Azure web applications
- Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam
Prerequisites
- A basic understanding of networking and security principles
- An Azure subscription (sign up for a free trial at https://azure.microsoft.com/free/ if you don’t have a subscription)
Here we are in the Azure Portal. Let's start by adding a new resource. We'll search for Application Gateway, select Application Gateway, and Create. We'll fill in the details we defined in the settings table earlier. We'll create a new resource group, give the Application Gateway instance a name, change the region Central US for this example. Next is where we define the tiers. There's a Standard and a Standard V2 and a web application firewall and Web Application Firewall V2. This example uses the Web Application Firewall V2. We can leave the rest as is and scroll to the bottom. We could use an existing virtual network.
For this example, we'll create a new virtual network. Give the virtual network a name, let's update the address space. This defines all the IP address blocks in the VNet. We'll get rid of the default and add the range we defined earlier. We'll create two subnets, one for the gateway and one for the backend pool, once added, click OK and we'll move on to Frontends. Be sure public is selected for Frontend IP address type and we'll create a new Public IP. Give it a name and click OK. Now we can move to Backends. Add a Backend pool, select the option to add a backend pool without targets. We'll add them shortly. Click Add and go to Configuration.
From here we go to Routing Rules, add routing rule give the routing rule a name and update the listener name. The frontend is public and set the protocol to HTTP and Port 80. Leave the rest as is and go to Backend targets, under Backend target select the Backend pool, under HTTP settings I Add New, this sets the behavior of the routing rule. Give the HTTP settings a name. We can leave the rest as default, click Add, and add the routing rule. Next, go to Tags, add tags as needed and go to Review and Create. Once validation passes click Create. We'll pause here and come back once it's finished.
The Application Gateway deployment is finished. Next, let's go to the Virtual Machines used for the backend pool. We could add IIS manually, optionally, we can configure it through Azure using PowerShell and the set az vm extension command. We'll do this by first opening the cloud shell and we'll run the command set az vm extension. This command specifies the resource group name, extension name, VM, publisher, extension type, type handler version, setting string that will update IIS with a custom webpage that displays the computer name and location. This command will deploy IIS to newly created windows server and Virtual Machines. This command will take a minute to finish. We'll pause here and come back once it's done.
That finished, let's run it again this time for the second VM. And again we'll pause here and come back once it's done. The second VM completed successfully, once finished we can is the cloud shell. Now that the VMs are configured and the Application Gateway is finished, let's add the backend servers to the pool. Here we are in the Application Gateway we just created, go to Backend pools, select the Backend pool we created earlier, set the target type to Virtual Machine, associate the target with the first VM we created. Repeat the steps for the second Virtual Machine. Once finished, click Save. That is how we configure the Azure Application Gateway and Backend pool.
Next, we implement an associate, a Web Application Firewall Policy to our Application Gateway. From the Portal, create a new resource and search for Web Application Firewall. Select Web Application Firewall and Create. Set the policy for Application Gateway. Notice that the other two services that support the Web Application Firewall Azure Front Door and Azure CDN are listed. Set the subscription and provide a resource group. Provide a name and go to Association Add an association and select Application Gateway. Check the box to apply the Web Application Firewall Policy even if it's different from the current config. This will override the existing configuration. Click Add, next go to Review and Create, once validation passes, click Create. Let's pause here until it finishes.
That finished, let's test the Application Gateway next. Go to the Application Gateway, once in the Application Gateway, copy the Public IP address from the overview page. Open a web browser and go to the IP. We'll get a webpage with a name of one of the two servers in return. This indicates the Application Gateway is working correctly. That is how to create an Application Gateway and Backend pool and implement an associate, a Web Application Firewall Policy.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.