Configure WAF Application Gateway in front of App Services

Question

I have a VNET with two App Services and one Windows VM in Azure. They are in the same VNET using VPN point-to-site.

I want to protect this environment with a WAF and have read that I can use Application Gateway WAF instead of the very expensive setup with App Service Environment and Barracuda.

Could anyone please explain how I can achieve this? The closest I have found is https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-portal .

Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it. — astaykov, Feb 15 '17 at 19:11
I have created a Application Gateway now and I would like to protect my whole VNET, as explained above, with this Gateway using the new WAF feature in Application Gateway. I need help how to start using the feature, and how to connect the VNET to the Application Gateway. — asgautm, Feb 16 '17 at 19:27

score 3 · Answer 1 · answered Aug 10 '17 at 01:32

3

In case someone has the same question, starting from July 2017, the Azure Application Gateway with Web Application Firewall supports App Services deployed in the multi-tenant environment. As described here.

More information on how to configure it here.

answered Aug 10 '17 at 01:32

Paco de la Cruz

2,066
13
22

1

That's great, it doesn't explain how to then lock down access to the app service such that you can only go through the gateway to get to the app service – johnstaveley Aug 31 '17 at 10:26
1

@johnstaveley - appreciate things change and this feature may not have been available at the time however App Service IP Restrictions are available on App Service. This could be the right solution however given that we know public IPs assigned to App Gateways may change, this may or may not be the best way to achieve this. – Lewis Mar 07 '18 at 21:33

score 2 · Answer 2 · answered Mar 20 '17 at 19:05

2

Support for Azure Web Apps as backend pool member is not currently supported on Application Gateway. However for App Service Environment (ASE) there is a workaround possible. Refer to this blog post - http://sabbour.me/how-to-run-an-app-service-behind-a-waf-enabled-application-gateway/

answered Mar 20 '17 at 19:05

amsriva-msft

319
1
5

Please use comments to provide suggestions including it as an answer. – RITZ XAVI Mar 20 '17 at 19:28

score 1 · Answer 3 · answered Oct 18 '17 at 09:21

1

You can use a NSG to lockdown the Internet calls and only allow calls from the AG to the ASE.

answered Oct 18 '17 at 09:21

Daniël

11
1

What is an NSG? – aaronR Dec 01 '17 at 20:39
A Network Security Group: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg – Schweder Mar 22 '18 at 09:23

Configure WAF Application Gateway in front of App Services

3 Answers3

Linked