Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.
In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.
Learning Objectives
- Configuring detection or prevention mode
- Implementing a WAF policy
- Associating a WAF policy
- Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
- Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined
Intended Audience
- System administrators with responsibilities for managing web applications
- Security professionals responsible for securing Azure web applications
- Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam
Prerequisites
- A basic understanding of networking and security principles
- An Azure subscription (sign up for a free trial at https://azure.microsoft.com/free/ if you don’t have a subscription)
Microsoft offers many solutions to create and support web-based applications. In this section, we review one of those solutions, Azure Front Door, and how it integrates with the Web Application Firewall. Azure Front Door is a globally scalable entry point for web applications hosted in Usher. It uses the Microsoft global edge network to create secure, fast, and scalable web applications.
With Azure Front Door, we can leverage Microsoft's global network to deploy services close to users, and direct those users to best performing instance of the web application. Front Door provides access to the Microsoft network at the edge, improving performance and reliability. Clients get the most direct path to the best instance of the application. Some of the features available with Azure Front Door include increased performance with Anycast, allowing requests to reach the closest edge location with the fewest hops, and Split TCP, terminating the client connection at the front door edge and establishing a separate TCP connection with a higher latency to the backend for the client.
Intelligent health probes that monitor the backend resource, URL path-based routing, cookie-based session affinity, SSL offloading and certificate management, and custom domains are also included with the Front Door service. At the time of this recording, there are three versions of Azure Front Door available. The first is Azure Front Door. The Web Application Firewall can be associated with this version of Front Door.
Pricing is based on a fixed charge for the Web Application Firewall and additional charges for custom and managed rules. There is also an Azure Front Door Standard and Premium currently in public preview. Public Preview offers a limited service-level agreement, or SLA. That should be considered before using it for production workloads. Standard only supports Web application Firewall custom rules, while premium fully supports the Web Application Firewall. Pricing for Standard and Premium is based on a set monthly fee with additional data transfer charges.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.