Thursday, 11 July 2024

What is Azure Web Application Firewall on Azure Application Gateway

 

What is Azure Web Application Firewall on Azure Application Gateway?

The Azure Web Application Firewall (WAF) on Azure Application Gateway actively safeguards your web applications against common exploits and vulnerabilities. As web applications become more frequent targets for malicious attacks, these attacks often exploit well-known vulnerabilities such as SQL injection and cross-site scripting.

WAF on Application Gateway is based on the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP).

All of the following WAF features exist inside of a WAF policy. You can create multiple policies, and they can be associated with an Application Gateway, to individual listeners, or to path-based routing rules on an Application Gateway. This way, you can have separate policies for each site behind your Application Gateway if needed. For more information on WAF policies, see Create a WAF Policy.


Application Gateway WAF diagram

Application Gateway operates as an application delivery controller (ADC). It offers Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), termination, cookie-based session affinity, round-robin load distribution, content-based routing, ability to host multiple websites, and security enhancements.

Application Gateway enhances security through TLS policy management and end-to-end TLS support. By integrating WAF into Application Gateway, it fortifies application security. This combination actively defends your web applications against common vulnerabilities and offers a centrally manageable, easy-to-configure location.

Benefits

This section describes the core benefits that WAF on Application Gateway provides.

Protection

  • Protect your web applications from web vulnerabilities and attacks without modification to back-end code.

  • Protect multiple web applications at the same time. An instance of Application Gateway can host up to 40 websites that are protected by a web application firewall.

  • Create custom WAF policies for different sites behind the same WAF.

  • Protect your web applications from malicious bots with the IP Reputation ruleset.

  • Protect your application against DDoS attacks. For more information, see Application DDoS Protection.

Monitoring

  • Monitor attacks against your web applications by using a real-time WAF log. The log is integrated with Azure Monitor to track WAF alerts and easily monitor trends.

  • The Application Gateway WAF is integrated with Microsoft Defender for Cloud. Defender for Cloud provides a central view of the security state of all your Azure, hybrid, and multicloud resources.

Customization

  • Customize WAF rules and rule groups to suit your application requirements and eliminate false positives.

  • Associate a WAF Policy for each site behind your WAF to allow for site-specific configuration

  • Create custom rules to suit the needs of your application

Features

  • SQL injection protection.
  • Cross-site scripting protection.
  • Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.
  • Protection against HTTP protocol violations.
  • Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.
  • Protection against crawlers and scanners.
  • Detection of common application misconfigurations (for example, Apache and IIS).
  • Configurable request size limits with lower and upper bounds.
  • Exclusion lists let you omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication or password fields.
  • Create custom rules to suit the specific needs of your applications.
  • Geo-filter traffic to allow or block certain countries/regions from gaining access to your applications.
  • Protect your applications from bots with the bot mitigation ruleset.
  • Inspect JSON and XML in the request body

WAF policy and rules

To enable a Web Application Firewall on Application Gateway, you must create a WAF policy. This policy is where all of the managed rules, custom rules, exclusions, and other customizations such as file upload limit exist.

You can configure a WAF policy and associate that policy to one or more application gateways for protection. A WAF policy consists of two types of security rules:

  • Custom rules that you create

  • Managed rule sets that are a collection of Azure-managed preconfigured set of rules

When both are present, custom rules are processed before processing the rules in a managed rule set. A rule is made of a match condition, a priority, and an action. Action types supported are: ALLOW, BLOCK, and LOG. You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.

Rules within a policy are processed in a priority order. Priority is a unique integer that defines the order of rules to process. Smaller integer value denotes a higher priority and those rules are evaluated before rules with a higher integer value. Once a rule is matched, the corresponding action that was defined in the rule is applied to the request. Once such a match is processed, rules with lower priorities aren't processed further.

A web application delivered by Application Gateway can have a WAF policy associated to it at the global level, at a per-site level, or at a per-URI level.

Core rule sets

Application Gateway supports multiple rule sets, including CRS 3.2, CRS 3.1, and CRS 3.0. These rules protect your web applications from malicious activity.

For more information, see Web application firewall CRS rule groups and rules.

Custom rules

Application Gateway also supports custom rules. With custom rules, you can create your own rules, which are evaluated for each request that passes through WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. If a set of conditions is met, an action is taken to allow or block.

The geomatch operator is now available for custom rules. See geomatch custom rules for more information.

For more information on custom rules, see Custom Rules for Application Gateway.

Bot protection rule set

You can enable a managed bot protection rule set to take custom actions on requests from all bot categories.

Three bot categories are supported:

  • Bad

    Bad bots include bots from malicious IP addresses and bots that falsify their identities. Bad bots with malicious IPs are sourced from the Microsoft Threat Intelligence feed’s high confidence IP Indicators of Compromise.

  • Good

    Good bots include validated search engines such as Googlebot, bingbot, and other trusted user agents.

  • Unknown

    Unknown bots are classified via published user agents without more validation. For example, market analyzer, feed fetchers, and data collection agents. Unknown bots also include malicious IP addresses that are sourced from Microsoft Threat Intelligence feed’s medium confidence IP Indicators of Compromise.

The WAF platform actively manages and dynamically updates bot signatures.

Screenshot of bot rule set.

You can assign Microsoft_BotManagerRuleSet_1.0 by using the Assign option under Managed Rulesets:

Screenshot of Assign managed rule sets.

When Bot protection is enabled, it blocks, allows, or logs incoming requests that match bot rules based on the action you've configured. It blocks malicious bots, allows verified search engine crawlers, blocks unknown search engine crawlers, and logs unknown bots by default. You have the option to set custom actions to block, allow, or log different types of bots.

You can access WAF logs from a storage account, event hub, log analytics, or send logs to a partner solution.

WAF modes

The Application Gateway WAF can be configured to run in the following two modes:

  • Detection mode: Monitors and logs all threat alerts. You turn on logging diagnostics for Application Gateway in the Diagnostics section. You must also make sure that the WAF log is selected and turned on. Web application firewall doesn't block incoming requests when it's operating in Detection mode.
  • Prevention mode: Blocks intrusions and attacks that the rules detect. The attacker receives a "403 unauthorized access" exception, and the connection is closed. Prevention mode records such attacks in the WAF logs.

WAF engines

The Azure web application firewall (WAF) engine is the component that inspects traffic and determines whether a request includes a signature that represents a potential attack. When you use CRS 3.2 or later, your WAF runs the new WAF engine, which gives you higher performance and an improved set of features. When you use earlier versions of the CRS, your WAF runs on an older engine. New features are only available on the new Azure WAF engine.

WAF actions

You can choose which action is run when a request matches a rule condition. The following actions are supported:

  • Allow: Request passes through the WAF and is forwarded to back-end. No further lower priority rules can block this request. Allow actions are only applicable to the Bot Manager ruleset, and aren't applicable to the Core Rule Set.
  • Block: The request is blocked and WAF sends a response to the client without forwarding the request to the back-end.
  • Log: Request is logged in the WAF logs and WAF continues evaluating lower priority rules.
  • Anomaly score: This is the default action for CRS ruleset where total anomaly score is incremented when a rule with this action is matched. Anomaly scoring isn't applicable for the Bot Manager ruleset.

Anomaly Scoring mode

OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.

In Traditional mode, traffic that matches any rule is considered independently of any other rule matches. This mode is easy to understand. But the lack of information about how many rules match a specific request is a limitation. So, Anomaly Scoring mode was introduced. It's the default for OWASP 3.x.

In Anomaly Scoring mode, traffic that matches any rule isn't immediately blocked when the firewall is in Prevention mode. Rules have a certain severity: CriticalErrorWarning, or Notice. That severity affects a numeric value for the request, which is called the Anomaly Score. For example, one Warning rule match contributes 3 to the score. One Critical rule match contributes 5.

SeverityValue
Critical5
Error4
Warning3
Notice2

There's a threshold of 5 for the Anomaly Score to block traffic. So, a single Critical rule match is enough for the Application Gateway WAF to block a request, even in Prevention mode. But one Warning rule match only increases the Anomaly Score by 3, which isn't enough by itself to block the traffic.

Configuration

You can configure and deploy all WAF policies using the Azure portal, REST APIs, Azure Resource Manager templates, and Azure PowerShell. You can also configure and manage Azure WAF policies at scale using Firewall Manager integration (preview). For more information, see Use Azure Firewall Manager to manage Web Application Firewall policies (preview).

WAF monitoring

It's important to monitor the health of your application gateway. You can support this by integrating your WAF and the applications it protects with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs.

Diagram of Application Gateway WAF diagnostics

Azure Monitor

Application Gateway logs are integrated with Azure Monitor. This allows you to track diagnostic information, including WAF alerts and logs. You can access this capability on the Diagnostics tab in the Application Gateway resource in the portal or directly through Azure Monitor. To learn more about enabling logs, see Application Gateway diagnostics.

Microsoft Defender for Cloud

Defender for Cloud helps you prevent, detect, and respond to threats. It provides increased visibility into and control over the security of your Azure resources. Application Gateway is integrated with Defender for Cloud. Defender for Cloud scans your environment to detect unprotected web applications. It can recommend Application Gateway WAF to protect these vulnerable resources. You create the firewalls directly from Defender for Cloud. These WAF instances are integrated with Defender for Cloud. They send alerts and health information to Defender for Cloud for reporting.

Defender for Cloud overview window

Microsoft Sentinel

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

With the built-in Azure WAF firewall events workbook, you can get an overview of the security events on your WAF. This includes events, matched and blocked rules, and everything else that gets logged in the firewall logs. More information on logging follows.

Azure WAF firewall events workbook

Azure Monitor Workbook for WAF

This workbook enables custom visualization of security-relevant WAF events across several filterable panels. It works with all WAF types, including Application Gateway, Front Door, and CDN, and can be filtered based on WAF type or a specific WAF instance. Import via ARM Template or Gallery Template. To deploy this workbook, see WAF Workbook.

Logging

Application Gateway WAF provides detailed reporting on each threat that it detects. Logging is integrated with Azure Diagnostics logs. Alerts are recorded in the .json format. These logs can be integrated with Azure Monitor logs.

Application Gateway diagnostics logs windows

How to Configure Azure Application Gateway and WAF v2

Introduction

Azure Application Gateway, functioning at layer 7, is essential for efficiently managing web traffic to your applications. This article delves into the concept and configuration of an Application Gateway, covering essential features like load balancing, SSL termination, and web application firewall (WAF) capabilities. By optimizing performance, enhancing security, and ensuring seamless access to your applications, we'll explore the robust capabilities of the Application Gateway.

Prerequisites

  1. Azure Subscription if you don’t have you can create via the link. Azure Free Account
  2. Azure VM or Web App Service (IIS or Web page)
  3. Additional Subnet for Application Gateway

Step 1. Sign in to the Azure portal.

Microsoft Azure

Step 2. Go to marketplace search Application gateway and hit on create.

Application Gateway

Step 3. In the basic tab, select your resource group and provide a name for the application gateway in my case I will use article-AppGW

  • Resource Group Article-AppGW
  • I will select the North Europe region you can choose your nearest locations as you decide.
  • In terms of tires, I will choose WAF v2.
    Create application gateway

Step 4. Kindly follow my steps for this demo, as I have configured it to avoid any conflicts.

  • Enable autoscaling: No
  • Instance count: 1
  • Availability Zone: 1,2,3 (If you want, you can choose 1)
  • HTTP2: Disabled 
  • IP Address type: IPV4

Configure Virtual Network

In terms of network, I will choose my virtual network and my app gateway subnet (App-GwSubnet) instead of my VM subnet.

Then click on Frontend IP>

Configure Virtual Network

Step 5. In the Frontend tab click Add New and then type IP name in my case AppGw-PiP, Click Next: Backend

Step 6. In the Backend, tab Click Add Backend Pool then Provide some Pool name (AppVM_Pool).

  1. Target type: Virtual machine
  2. Target: VM nic (article-vm52910.0.0.4)

Click on the Add button. 

Click Add Backend Pool then Provide some Pool name (AppVM_Pool) 

Step 7. Now Frontend and Backend are successfully configured.

Now Frontend and Backend

Step 8. Now I'm going to configure a very important area, which is routing rules.

Add a routing rule with the following specifications:

  • Rule name: RuleA
  • Priority: 100
  • Listener name: ListenerA
  • Frontend IP: Public IPv4
  • Protocol: HTTP
  • Port: 80

Please note that if you want to select HTTPS, you must have an SSL certificate installed on your application. In my case, since this is a demo environment, I don’t need to use an SSL certificate.

Add a routing rule

Step 9. Move to the Backend targets.

  1. Add Backend targets: AppVM_Pool
  2. Add Backend Settings: HttpSettings
    Add routing rule

Step 10. If you have multiple paths in your application, you can utilize path-based routing. However, in my case, I don’t have multiple paths in my application. Click: Next Tags

Path based rules

Step 11. Click Review and Create.

It might take 10-15 minutes for deployment.

Validation passed

Step 12. Successfully, my application gateway has been deployed.

My application gateway deployed

Web Application Firewall Configuration

Step 1. In the left-side pane of the Application Gateway Overview, navigate to Web Application Firewall.

It's important to note that by default, my WAF mode is set to Detection. This means that user traffic will be allowed to reach the application, but if a threat is detected, it will only be detected and not prevented. For more details, refer to the Microsoft Docs here. 

WAF Mode to set Detection

Step 2. You can use Switch to Prevention mode to set Prevention.

Prevention Mode

Step 3. You can switch to Prevention mode to enable prevention actions.

Prevention action

Step 4. Managed Rule Sets offer OWASP-verified rulesets that you can enable depending on your application's behavior. In my scenario, I'll activate all rules to assess the behavior of my default HTML page.

In Web Application firewall>Managed rules>OWASP 3.2>Expand>Select all> Enabled

Use the Docs to tune your policies: Managed Rules

Testing and Validation of Application Gateway

Step 1. First, I will browse my application using the VM's public IP instead of the application gateway's IP for testing.

Testing and validation of application gateway

Step 2: It's working properly.

Demo

Step 3. Now I’m going to browse the application using the Application Gateway's IP address instead of the VM's public IP address.

Navigate to your Application Gateway overview, and copy the IP address.

Frontend publish IP Address

Step 4. Paste the IP address into your browser's address bar and press enter. As expected, my default HTML page is functioning properly via the Application Gateway's frontend IP.

App gateway 

Understanding and Implementing Azure Application Gateway

What is Azure Application Gateway?

Azure Application Gateway is an advanced web traffic load balancer that operates at the OSI model’s application layer (layer 7). Unlike traditional load balancers that route traffic only based on IP addresses and ports, it can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. This capability allows for more sophisticated traffic distribution mechanisms, essential for optimizing modern application deployments.

Application Gateway

Core Components of Application Gateway

The functionality of Azure Application Gateway hinges on several components:

  • Gateway: Acts as the entry point for all client requests.
  • Listeners: These are responsible for monitoring incoming traffic on specified ports and protocols.
  • Rules: Direct the traffic from the listener to appropriate backend pools based on predetermined conditions.
  • Backend Pools: Groups of servers that receive forwarded traffic.
  • Health Probes: Used to monitor the health of backend servers to ensure traffic is only routed to available servers.

Key Features and Configurations

  • SSL Termination

Azure Application Gateway supports SSL/TLS termination at the gateway, whereby it decrypts incoming SSL/TLS sessions from clients, relieving backend servers from decryption tasks. This offloads a significant CPU burden from the backend servers, thereby enhancing the overall throughput and performance of the application.

  • Autoscaling

One of the strongest features of Azure Application Gateway is its built-in autoscaling capability, which adjusts resources automatically based on traffic load. This ensures that the application remains responsive, regardless of traffic spikes, without any manual intervention.

  • Web Application Firewall (WAF)

The integrated WAF protects your applications from web vulnerabilities and attacks, adhering to a set of rules that cover the top 10 threats identified by the Open Web Application Security Project (OWASP). These include protection against SQL injection, cross-site scripting, and other prevalent security risks.

  • Custom Routing Rules

Application Gateway offers detailed routing rules configuration, such as:

  • URL Path-Based Routing: Distributes traffic to different backend pools based on URL paths.
  • Multi-site Hosting: Allows hosting of multiple websites behind a single instance.
  • Redirection Rules: Supports redirection within sites, which can be used for URL rewriting and other advanced routing needs.
  • Monitoring and Management

Azure Monitor and Log Analytics provide deep insights into Application Gateway performance and health metrics, enabling proactive management and tuning. Key performance indicators include throughput, healthy and unhealthy host count, response time, and more.

Real-World Use Cases for Application Gateway:

  • Modernizing Legacy Applications: Integrates seamlessly with existing on-premises or cloud-based backend infrastructure, facilitating a smooth migration to the cloud.
  • Microservices Architecture: Routes traffic to individual microservices based on specific paths or headers, supporting a modular application development approach.
  • API Management: Acts as a secure entry point for APIs, enforcing access control and routing requests to appropriate backend services.
  • Global Web Applications: Balances traffic across geographically distributed backend servers, ensuring optimal performance for users in different regions.

Step-by-Step Setup Guide

Creating an Application Gateway

You need to configure various tabs for creation. You should create 2 VMs (VM1, VM2) with IIS server installed in it. Now lets start creating gateway.

  1. In the Azure portal’s navigation pane, select Create a resource. The New window appears.
  2. Select Networking and then select Application Gateway in the Featured list.
  3. On the Basics tab, enter these values for the following settings:
    • Resource group: Select myResourceGroupAG for the resource group. If it doesn’t exist, select Create new to create it.
    • Application gateway name: Enter myAppGateway for the name.
    • Region: Select the region in which you want to deploy the resource.
    • Tier: Select the StandardV2 tier.
      Azure application Gateway

    Leave rest options till HTTP2 to their default values and options.

  4. On the Frontends tab, verify Frontend IP address type is set to Public. Choose Create new for the Public IP address and enter myAGPublicIPAddress.
    Frontend IP
  5. On the Backends tab, select +Add a backend pool and enter a backend pool name.
    Routing protocols
  6. On the Configuration tab, you’ll connect the frontend and backend pool you created using a routing rule. Select Add a rule in the Routing rules.
  7. On the Backend targets tab, select myBackendPool for the Backend target.
    Backend target
  8. Next click on Review + Create.
  9. Once it is created, Open Application Gateway page and select backend pools
    Application Gateway
  10. Under Backend targets, Target type, select Virtual machine from the drop-down. Under Target, select the myVM and myVM2 virtual machines created in the starting.
    Backend VM
  11. Once you set backend, test the it by browsing to the URL of under overview tab.