Let’s implement Web Application Gateway with Web Application Firewall, Assuming the backend is an App Service which is my case, the Custom domain is added to the in-app service with SNI SSL. See Restricting App Service through Application Gateway
The following Naming Convention is used as per Microsoft’s Recommendations, You can always make it flexible in the way you interpret and understand it better.
az – Denotes Azure
vp – Project Reference
uaen – UAE North
appgw – Application Gateway
- az-vp-np-uaen-appgw
- az-vp-np-uaen-appgw-be (Backend )
- az-vp-np-uaen-appgw-rule
- az-vp-np-uaen-appgw-listener
- az-vp-np-uaen-appgw-be-settings
- az-vp-np-uaen-appgw-hb (Health Probe)
- az-vp-np-uaen-appgw-ssl-profile
Let’s create an Application Gateway – Using a Dedicated Subnet for my Application Gateway
Associate a Public IP from a Public IP Prefix
Add a backed Pool
Add Backend pool
Add a routing rule attaching a pfx file (Ideally from Key Vault)
Choose backend Targets – Use Well know CA Certificate
Frontends – Routing Rules and Backend Pools are configured now
Create the Application Gateway
Add Custom Health Probe – Apply Host with backend custom domain
Now the site is up using Application Gateway – The A Record is pointing to Application Gateway. As to have better HA ( High Availability ) you need to use traffic manager or Azure Front Door with CDN for different scenarios. Azure Front door is peace of mind as SSL can be managed and renewed automatically.
Enable WAF V2 – Prevention
OWASP 3.0 is used in this case
Create SSL Profile with TLS 1.3
Update SSL profile in Listener (The one we created above)
Now you can see the CIPHERS are hardened.
good article
Good to have one, thanks Satheeshwaran as always!