Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.
In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.
Learning Objectives
- Configuring detection or prevention mode
- Implementing a WAF policy
- Associating a WAF policy
- Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
- Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined
Intended Audience
- System administrators with responsibilities for managing web applications
- Security professionals responsible for securing Azure web applications
- Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam
Prerequisites
- A basic understanding of networking and security principles
- An Azure subscription (sign up for a free trial at https://azure.microsoft.com/free/ if you don’t have a subscription)
The third service with support for Web Application Firewall is the Azure Content Delivery Network. Latency, the time it takes for packets to transverse a network can be a performance killer for web applications. Content such as images and video take time to flow across the internet from the source server to the client. High latency can make an application feel slow and problematic.
A Content Delivery Network or CDN addresses latency issues by placing content closer to the users, thereby reducing latency. A CDN is a distributed network of servers that caches content closer to users. A CDN improves performance by reducing latency and limits the web server's burden of serving content by making the content available from the CDN. Without a CDN, when a user request web content, it's served directly from the web application servers.
Latency is introduced for any users not physically close to the application servers. With a CDN, the content is cached at edge servers when first accessed. When additional users form the same region access the content, it's delivered from the CDN endpoint instead of from the application servers, reducing latency and the workload on the application servers and improving the end user's experience.
The Web Application Firewall works with the CDN by applying policies to the CDN endpoints. This provides the CDN with protection from web-based vulnerabilities and exploits. At the time of this recording, the Web Application Firewall with the Azure CDN is in public preview. There is a limited Service Level Agreement while in public preview. Take that into consideration before using it for production workloads.
The Azure CDN supports dynamic site acceleration to improve performance for dynamic websites, sites that don't rely on static content. The CDN also supports caching rules that define how content is cached, such as the length of time the content is held in cache before it expires. The Azure CDN supports HTTPS custom domains, so content is delivered over an HTTPS connection. It also supports file compression, an option to compress files on the CDN, Geo filtering, a way to allow or block the CDN based on countries or regions, and Azure diagnostic logs for troubleshooting.
The Web Application Firewall with CDN is billed at a fixed rate per policy along with additional charges for the number of rules used and requests processed.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.