Implementing Application Gateway with Web Application Firewall

Let’s implement Web Application Gateway with Web Application Firewall, Assuming the backend is an App Service which is my case, the Custom domain is added to the in-app service with SNI SSL. See Restricting App Service through Application Gateway

The following Naming Convention is used as per Microsoft’s Recommendations, You can always make it flexible in the way you interpret and understand it better.

az – Denotes Azure
vp – Project Reference
uaen – UAE North
appgw – Application Gateway

• az-vp-np-uaen-appgw
• az-vp-np-uaen-appgw-be (Backend )
• az-vp-np-uaen-appgw-rule
• az-vp-np-uaen-appgw-listener
• az-vp-np-uaen-appgw-be-settings
• az-vp-np-uaen-appgw-hb (Health Probe)
• az-vp-np-uaen-appgw-ssl-profile

Let’s create an Application Gateway – Using a Dedicated Subnet for my Application Gateway

Associate a Public IP from a Public IP Prefix

Add a backed Pool

Add Backend pool

Add a routing rule attaching a pfx file (Ideally from Key Vault)

Choose backend Targets – Use Well know CA Certificate

Frontends – Routing Rules and Backend Pools are configured now

Create the Application Gateway

Add Custom Health Probe – Apply Host with backend custom domain

Now the site is up using Application Gateway – The A Record is pointing to Application Gateway. As to have better HA ( High Availability ) you need to use traffic manager or Azure Front Door with CDN for different scenarios. Azure Front door is peace of mind as SSL can be managed and renewed automatically.

Enable WAF V2 – Prevention

OWASP 3.0 is used in this case

Create SSL Profile with TLS 1.3

Update SSL profile in Listener (The one we created above)

Now you can see the CIPHERS are hardened.

• Excellent Article Reference from Microsoft on Protecting GCP Applications (Google Cloud Platform) using Azure WAF
• Excellent Article Reference from Microsoft on Protecting AWS Applications (Amazon Web Services) using Azure WAF