Application Gateway Security
Azure Application Gateway provides a web application firewall (WAF) that helps protect your web applications from common web exploits and vulnerabilities. This page covers the security features and configurations available with Application Gateway.
Web Application Firewall (WAF)
The Application Gateway WAF protects web applications by inspecting incoming HTTP traffic. It helps protect against attacks such as:
- SQL injection
- Cross-site scripting (XSS)
- Cross-site forgery (CSRF)
- Path traversal
- Command injection
- Remote file inclusion
- Security misconfigurations
WAF Modes
Application Gateway WAF offers two modes:
- Detection mode: The WAF monitors traffic and logs malicious requests but does not block them. This is useful for testing WAF rules without impacting application availability.
- Prevention mode: The WAF monitors traffic, logs malicious requests, and blocks them. This is the recommended mode for production environments.
WAF Policies
You can create and manage WAF policies to define the rules and settings for your WAF. These policies can be associated with your Application Gateway listeners.
Key components of a WAF policy include:
- Managed Rule Sets: Predefined sets of rules developed by Microsoft or the Open Web Application Security Project (OWASP).
- Custom Rules: Rules that you define based on specific IP addresses, geographic locations, request headers, or other criteria.
- Exclusions: Patterns to exclude from WAF inspection to avoid false positives.
- Rate Limiting: Configure limits on the number of requests a client can make within a specific time frame.
Configuring WAF
You can configure WAF settings through the Azure portal, Azure CLI, PowerShell, or ARM templates.
Example: Enabling WAF in Prevention Mode (Conceptual CLI)
az network application-gateway waf-policy create \
--name MyWAFPolicy \
--resource-group MyResourceGroup \
--mode Prevention \
--sku Standard_WAF_v2
az network application-gateway create \
--name MyAppGateway \
--resource-group MyResourceGroup \
--sku WAF_v2 \
--waf-policy /subscriptions/.../resourceGroups/MyResourceGroup/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/MyWAFPolicy
TLS/SSL Termination
Application Gateway can terminate TLS/SSL connections, decrypting incoming traffic before it reaches your backend servers. This offloads the TLS/SSL processing from your applications and allows for centralized certificate management.
- End-to-end TLS: For enhanced security, you can configure Application Gateway to re-encrypt traffic before sending it to backend servers, ensuring that traffic remains encrypted throughout its journey.
- Certificate Management: Upload and manage your SSL certificates directly on Application Gateway.
Network Security Groups (NSGs)
While Application Gateway provides application-level security, NSGs can be used to control network traffic flow to and from the Application Gateway subnet. You should configure NSGs to allow traffic on specific ports (e.g., 80, 443) to the Application Gateway's private IP address and restrict access from unauthorized sources.
Private Link Support
For enhanced network isolation, Application Gateway supports Azure Private Link. This allows you to access Application Gateway privately from your virtual networks without exposing it to the public internet.
Important Note:
Always keep your WAF rules and rule sets updated to protect against the latest threats. Regularly review WAF logs for any suspicious activity.
Tip:
Consider enabling both managed and custom WAF rules to achieve a comprehensive security posture tailored to your application's specific needs.