This article is part of our upcoming series on Microsoft Azure’s security services, geared towards DevSecOps and DevOps engineers. In these blog posts, we will be exploring how we can stand up Azure’s services via Infrastructure As Code to secure web applications and other services deployed in the cloud hosting platform.
To start with, we will investigate how we can stand up Web Applications Firewall (WAF) services via Terraform.
Using Web Application Firewall to Protect Your Azure Applications
A Web Application Firewall or WAF helps protect web applications by filtering and monitoring HTTP traffic between a client and service. It typically protects applications from attacks such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others.
In almost every design session the following question pops up: “What do I put in front of my web application to secure it?”
Azure, Microsoft’s Cloud hosting platform provides a number of options, including:
- Azure CDN
- Azure Traffic Manager
- Azure Application Gateway
- Azure Front Door
In this post, we will focus on Azure Application Gateway and Azure Front Door since they can be configured to act as a Web Application Firewall.
The Difference Between a Firewall and a Web Application Firewall
Firewalls operate at the network layer 4 (transport layer – Reference: OSI Model) and make processing decisions based on network addresses, ports, or protocols, which protect data transfer and network traffic, but not the application.
A Web Application Firewall protects web applications by not only operating at layer 4 but also by targeting Hypertext Transfer Protocol (HTTP/HTTPS) traffic, taking advantage of working at layer 7 (which is the application level).
A WAF as we noted in the introduction, therefore, protects your web apps from malicious attacks and common web vulnerabilities, such as cookie manipulation, SQL injection, and cross-site scripting.
Choosing Azure Application Gateway or Azure Front Door as a Web Application Firewall
Azure Application Gateway and Azure Front Door have some overlapping functionality as both services can be used to terminate (HTTP/HTTPS) and load balance across backend servers.
The main difference between Application Gateway and Front Door is that Front Door is a global service whereas Application Gateway is a regional service. This means that Azure Front Door gives you the ability to define, manage and monitor the global routing for your web traffic (across regions) while Azure Application Gateway works in just one region.
Using the Azure Application Gateway, if the infrastructure is set up in the USA, a user from Japan would have their traffic go over the public Internet to the data center in the USA.
Azure Front Door is a global service using software-defined networking. The SSL certificate and configuration are stored centrally and deployed to Microsoft’s edge locations around the world.
In this case, the user from Japan connects to their local Microsoft edge location in Japan and the traffic then goes across the Microsoft backbone network to the backend resources with optional caching of static content at the edge – so it should be a much faster user experience.
It is also possible to combine both services – you can use Azure Front Door for global load balancing, and Application Gateway at the regional level.
Web Application Firewall has 2 operating modes:
- Detection mode: Use this mode for reviewing, understanding, and learning from network traffic, which includes identifying false positives. It monitors and logs all threat alerts. Make sure that Diagnostics and WAF logs are selected and turned on. Note that the WAF does not block incoming requests when it’s operating in Detection mode.
- Prevention mode: Blocks intrusions and attacks defined by the rules. An attacker receives a “403 unauthorized access” exception, and the connection is closed. Prevention mode records such attacks in the WAF logs.
Here at Modus Create, we built a Proof of Concept to demonstrate how to deploy Azure Application Gateway and Web Application Firewall using Infrastructure as Code (Terraform).
Example configuration of WAF services
You can check it out on the Modus Create GitHub:
However, to experiment with this proof of concept you will need:
- An Azure Account
- Linux or Windows OS
- Azure CLI
- HashiCorp Terraform
All organizations are exposed to a variety of malicious traffic and no matter who you are whether a startup, small, medium, or large enterprise the Web Application Firewall should be a top priority.
With strong Layer 7 defenses, detection, and mitigation techniques for Azure users, Azure WAF can protect your application even from the most sophisticated threats before they reach your servers.
No matter what stage of your Cloud security journey you are at, Modus DevSecOps, AppSec, and cybersecurity experts are here for you. Learn more about how our teams can help drive outcomes for your customers while remediating risks and reducing your threat surface and get in contact with a team member here: https://moduscreate.com/services/security/