0

I have been messing around with Azure trying to get a web app up and running. My plan was to create a WAF and site the web app behind that, each in a seperate subnet and then to use the service endpoint tech to point the web app to a database.

I have been stopped in my tracks almost straight away with the revelation that if i want to use a WAF in front of the web app i have to configure the networking in the web app but when i choose a vnet it says that no gateway is configured for the selected VNET.

My question being is do i have to use point to site VPN to get this setup working? i thought that it would work like

INTERNET ---> VNET ----> subnet ----> WAF -----> subnet -----> web app ----> service endpoint ------> DB

but that doesnt seem to be the case. I am not keen on the idea of having to install a client certificate on every machine in our network that might want to access this website (it is currently internal). I suppose i am looking for the best of both worlds. Accessible from the internet but having the added comfort of having something like a WAF sat in front of it to make up for any security inadequacies which might exist somewhere in said app.

Thanks

neuro
  • 14,948
  • 3
  • 36
  • 59
MrKobayashi
  • 1,045
  • 2
  • 12
  • 19

2 Answers2

1

If you want to use Azure WAF with Azure App Service (multi-tenant) you can, you just need to ensure you are supplying the host header with your request.

enter image description here

If you want you Azure Web App on a VNet, you will need to run your Azure Web App on an App Service Environment (Isolated). This version of Azure Web App is more expensive but allows you to apply NSG's to the VNet to fully control access to your web app. Personally I think WAF w/ Azure App Service (multi-tenant) should meet your needs.

We have it all documented here:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-web-app-overview

https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app-portal

Ken W - Zero Networks
  • 3,533
  • 1
  • 13
  • 18
1

As far as I know, you could not deploy a web app in a VNet unless you are using the App Service Environment(Isolated). App VNet integration could not do it. It allows you to securely access resources in a VNet. For example, you have a database on an Azure VM in a private VNet. You could not access it from Azure web app to this database if this database is not available publicly, but you could reach it via app VNet integration.

VNet service endpoints is another different service. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. If you enable such service endpoint like Azure SQL database( which differs from the database on Azure VMs) in a VNet, this means only the resource in these authorized VNets could access your SQL database unless you add an exclusion like the public IP address in the firewall of the database.

In this case, you could put a Public facing Azure app gateway at the high level of the web app service, then add the Azure app gateway public IP in the IP restriction of the web app.This will restrict to access to web app via Azure web app gateway over the Internet. Also, you could control the network inbound and outbound in Azure app gateway subnet NSG. See Network security groups on the Application Gateway subnet if you want to add an NSG to the app gateway subnet level. I think these are enough if you just want to create a WAF and site the web app behind that.

Furthermore, if you want to let web app privately access the Azure SQL database. You could deploy a web app in an ASE, then enable the VNet service endpoint for Azure SQL database. App VNet integration does not need to use it with the service endpoint.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • This is what i ended up doing. But i have just come across this answer. So i have a vnet with just the WAF in. The App service is not in the vnet. The app service has restriction policies only allowing access from the WAF. This is currently working. Next Steps: - Need to create an Azure SQL DB and allow the web app to talk to it. Hoping i can restrict access from only the web app somehow. - Need to figure out how i can get the SSL cert registered for the azurewebsites.net domain to work with the web app gateway as at the moment i have CNAME entry and only working over http. – MrKobayashi Apr 25 '19 at 13:07
  • 1
    `Need to create an Azure SQL DB and allow the web app to talk to it.` For this, since Azure SQL DB service could restrict the network access via IP address or subnet, you could whitelist the web app possible outbound IP address or deploy the web app in an ASE. The last question is different, I suggest to post a new question. – Nancy Apr 26 '19 at 06:02