Open in app

Sign in

Write

Sign in

Secure your web application with an Azure waf (Web Application Firewall)

Morsi Masmoudi
7 min readNov 1, 2023

--

In our article, we will explore how to configure an Azure Web Application Firewall (WAF).

The article will provide real-life examples of application configurations, but please note that the configuration will depend on your specific implementation scenario.

Table of Contents

  1. What is an Azure Web Application Firewall (waf)
  2. What to choose between Front door and Application Gateway
  3. Scenario and architecture for WAF implementation
  4. Prerequisite
  5. Create Azure Front Door
  6. Configure the Azure Front Door
  7. Test the connection of two applications through the WAF
  8. Coming soon

1. Azure Web Application Firewall (waf)

Azure WAF (Web Application Firewall) is a cloud-based security service provided by Microsoft Azure. It helps protect web applications from common web vulnerabilities and attacks, such as SQL injection, cross-site scripting (XSS), and session hijacking. By analyzing incoming HTTP/S traffic, Azure WAF can detect and block malicious requests, providing an additional layer of security for your web applications.

It offers customizable rule sets, real-time monitoring, and integration with Azure services, making it an effective solution for safeguarding your web applications in the cloud.

To implement the WAF, you can choose between using an Azure Application Gateway or an Azure Front Door.

2. What to choose between Front Door and Application Gateway?

We won’t go into a detailed comparison between Azure Front Door and Application Gateway, but it’s important to note that the WAF is natively implemented in both resources.

One major difference to consider is that Azure Front Door allows request distribution across multiple regions, ensuring high availability and global scale. On the other hand, Application Gateway operates at a regional level, balancing requests within a specific region to optimize performance and resource utilization.

For our WAF implementation example, we will use Azure Front Door.

3. Scenario and architecture for WAF implementation

Here is the architecture we propose for WAF implementation. It is very simple: we will place the WAF in front of user requests to secure the traffic and then forward each received request to the corresponding application.

4. Prerequisite

For the needs of WAF implementation, we will create two web applications (App Service -> Web App) on Azure. We won’t go into detail about this creation, but you can refer to this article that explains how to create a web application in Azure.

For the WAF implementation, we will create two PHP web apps :

  • waf-webapp-1 => https://waf-webapp-1.azurewebsites.net
  • waf-webapp-2 => https://waf-webapp-2.azurewebsites.net

5. Create Azure Front Door

Create a resource group “RG-waf” to gather all the resources for the WAF.

In the search bar, search for “Front door” and select “Front door and CDN profiles.”

Click “+ Create”

  • Choose “Custom create”
  • Select the previously created resource group and provide a name for your Front Door.
  • Choose a Premium Tier that includes a WAF.
  • Go to tab “Endpoint”
  • Add an endpoint : An endpoint refers to a specific destination where your application or service is hosted. It represents the backend pool or origin that Front Door uses to route incoming requests.

These endpoints can be Azure Web Apps, Azure Functions, or any other publicly accessible resource. Front Door acts as a global entry point that intelligently routes traffic to these endpoints based on its routing rules and load-balancing algorithms.

As the name of the endpoint, you can choose a name that suits you.

Click on “Add”

After creating the endpoint, we will proceed to create routes.

Click on “+ add route”

During the creation of our first route, we will create a custom domain.

  • Give a name to your route: webapp1
  • on domain, click on “Add a new domain”
  • on “Add a domain”, choose “All other DNS services” on DNS management and then add your custom domain, for exemple webapp1.your-domain.com. This allows Front Door to route incoming requests for that specific domain to the appropriate endpoint or backend resource associated with the route.

Click on “Add” to add the new domain

On Origin group, click on “Add a new origin group”

An origin refers to the backend resource that the route will be associated with.

Give a Name to your origin, and then click on “Add an origin”

  • Give a name
  • Origin type: Custom
  • Host name: url of your web application. In our example, we have created a web app that is hosted on Azure and has a specific URL. It is this URL that we are referring to as the origin in the context of creating a route on Azure Front Door.

Click on “Add”

Our origin was added

Click on “Add”

I don’t want to lose you, we are still in the step of creating a route in the process of creating an Azure Front Door 😅

Click on “Add” to add our first route.

And if I try to diagram this:

After completing the creation of the Front Door, we will add the remaining routes.

“Review + create”

“create” the Front Door

The creation of the Front Door may take a few minutes.

6. Configure the Azure Front Door

Go on “Domains” menu in your Azure Front Door

We need to validate our domain name.

For our example, our domain is hosted with OVH, so we will follow the procedure directly with OVH. However, this process is applicable to any domain registrar.

Click on “Pending”

Add a TXT record on your domain registrat with values indicated

On OVH:

It’s ok for the domain validation.

We must also add a CNAME entry in our domain registrar to associate subdomain with the Endpoint.

As mentioned in our scenario, we will set up 2 redirects to the WAF URL (2 applications, each application will connect to the WAF, and then the WAF will redirect each domain to the requested application…), so we need a CNAME entry instead of A entry.

You will be happy to learn in the DNS State that : Traffic is delivered securely …

You can add as many domains as you want …

For our example, we will similarly add a webapp2 (including adding the route, origin, domain, configuration in your domain registrar, etc.).

7. Test the connection of the two applications through the WAF

We have created a web app2 in the same manner and followed the same steps to place our web app 2 behind the WAF.

We need to ensure that our two web applications are indeed behind the WAF.

The simplest way is to ping both URLs and verify that they respond with the same IP address of the Firewall, rather than their respective individual IPs.

Our two URLs now point to the same IP, which is the IP address of the firewall.

If you access both of your URLs, they should be routed through the WAF and reach their respective web applications behind the firewall. This ensures that the traffic is filtered and protected by the WAF before reaching the applications.

8. Coming soon

This article has shown us the first step in using an Azure WAF through a Front Door. In future articles, we will explore:

  • how to manage security policies to allow or deny traffic,
  • add exceptions,
  • read logs,
  • find solutions to various issues,

Please stay connected. You can follow me on Medium, and I will sign up for your profile to receive alerts about upcoming articles.

Alternatively, you can add me on LinkedIn to stay updated on Azure and security-related content that I share and find interesting.

https://www.linkedin.com/in/morsi-masmoudi/

Waf
Azure
Web Application Firewall
Microsoft Azure
Cloud Computing

--

--

Morsi Masmoudi

Written by Morsi Masmoudi

91 Followers

IT engineer, azure cloud trainer and administrator, Azure AZ-104 certified and PMP certified

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams