0

I apologize if this is totally obvious but Im wracking my brain and missing something.

We have multiple webapps in Azure, and want to implement WAF for IPS. Ive got everything set up, and my subdomain will resolve to the AG and then to the web app. It seems like it works (except that the url is the internal FQDN of the Azure Web App which is somehow a problem with my DNS).

I cannot seem to determine if traffic is continuing to go through the AG, or is now somehow handing off the connection and now not going through the AG. I see an inital request, but how do I see that the traffic back and forth is actually being inspected according to the Owasp 3.0 rules the WAF is supposed to provide.

Im certain Im going to feel like an idiot when the answer comes but Ive spent hours and hours and hours trying to figure out if this actually works, or Im misunderstanding the solution.

Master Solutions
  • 1
  • 1
  • If you do a DNS query for the A record for your sub-domain, does it result in your AG IP address? – juunas Jun 07 '18 at 16:40
  • Because the AG uses a public IP that isnt static, they suggest we use a cname to the DNS name of the AG. When I do a DNS Query, it goes to the AG public IP dns name. – Master Solutions Jun 07 '18 at 19:27
  • Okay so it goes to the ag's domain name? If you get the A record for that do you get the ag's ip address? If yes, then the traffic goes through it. – juunas Jun 07 '18 at 19:29
  • I'm no network specialist, but I've configured Application Analytics once to see how it works. Here is the link https://learn.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-networking-analytics. It may help. – Evandro de Paula Jun 08 '18 at 03:20
  • Now of course if you use redirections in AG, those won't go through it – juunas Jun 08 '18 at 11:09
  • Im sorry I didnt see the subsequent replies. I do get the ip of the AG when using DNS. I dont know that we use any redirection. – Master Solutions Jun 11 '18 at 15:49

1 Answers1

0

I would suggest you lock down the WebApp using IP restriction so that it only accepts connections from Application Gateway VIP. That way if request is not routed via WAF, it would not get served. You could also enable metrics and diagnostics logs on Application Gateway and check the request response logs and WAF logs to ensure that requests are coming through Application Gateway.

amsriva-msft
  • 319
  • 1
  • 5