0

Assuming I'm using non-isolated app service, the recommendation to protect web app against ddos kind of attack is to put firewall in front of it. My Question: Even if I have done following:

App Service (IP configured to allow WAF IPs only) -- WAF (with all security layers) -- Internet

Why would a malicious actor go through WAF? Am I not still as secure as the native security offered by App Service? If all I want is to whitelist certain IPs (no layer 7 rules), do I get any additional benefit with WAF?

rahulga
  • 23
  • 2

1 Answers1

0

Why would a malicious actor go through WAF?

When user sends a request to server, it will go through the WAF first, not directly to the server. Here is a diagram from the doc which describes the flow:

enter image description here

Am I not still as secure as the native security offered by App Service?

No, you will still be as secure as the native security offered by App Service.

If all I want is to whitelist certain IPs (no layer 7 rules), do I get any additional benefit with WAF?

As far as I know, no additional benefit with WAF.

Ivan Glasenberg
  • 29,865
  • 2
  • 44
  • 60
  • Thanks for the reply. The diagram you mentioned isn't the use can I'm talking about. The diagram talks about an example use case using VMs while my question is pertaining to app services. With app services you can never block it's public endpoint that Microsoft manages unless we are using isolated plan. So essentially, when we put waf in front of app services we are really never truly funneling all traffic through WAF. There's always a public endpoint available thatvis accessible without WAF and its access is managed by app service rules (not WAF rules). VM is altogether a different case. – rahulga Apr 08 '21 at 12:37