Last Update: Sep 04, 2024 | Published: Oct 10, 2016
This post will describe a new network security feature, the Web Application Firewall, for web applications that was launched in preview at Microsoft Ignite 2016.
You can run a pretty complex web hosting service in Azure. Load balancing (for multi-region scale-out and failover) can be done at the DNS-level using Traffic Manager, layer 4 load balancing can be done within a virtual network (VNet) using the ARM load balancer, and a year ago, Microsoft added layer 7 functionality in the Application Gateway.
You can place the Application Gateway behind the Azure load balancer and in front of sets of web servers to get the following functionality:
Microsoft announced a preview of a new feature for application gateway, the Web Application Firewall, an additional SKU that we will have to pay for after GA if we choose to deploy it.
There have been 2 ways to implement security for web applications in Azure:
And now, in preview, we can add Web Application Firewall (WAF) functionality to the Application Gateway. This provides you with a Microsoft-managed, centrally run security solution that can integrate into Azure security center, and operates at layer 7, meaning that it can perform application layer inspection. This is the sort of security that protects you against modern threats such as SQL injection attacks.
A benefit of Microsoft’s approach, adding the WAF to the Application Gateway, is that many websites can be protected by 1 security instance, and you do not need to modify your applications.
At this time, the WAF does not allow user-defined rules — this is something Microsoft intends to add at a later point. The WAF is currently pre-configured with ModSecurity (is that more open source love from Microsoft?) and OWASP Core Rule Set, described as:
… an easily “pluggable” set of generic attack detection rules that provide a base level of protection for any web application
Some of the vulnerabilities that WAF currently protects you against are:
Microsoft allows you to operate WAF in two different modes:
WAF looks like a nice new way to implement security for web applications that are hosted in Azure. I don’t think anyone will rely solely on WAF until they can create their own rule sets, but WAF with network security groups (NSGs) could offer quite a security solution at the L4 and L7 layers.