How to Use Azure Front Door’s Web Application Firewall (WAF) to Protect Your Web Apps

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Looking to develop a highly secure and high-performing web application? Harness the power of Azure Front Door and its Web Application Firewall (WAF) feature. In this article, we'll explore how Azure Front Door and WAF work together to safeguard your web apps from common threats and vulnerabilities.

 

What is Azure Front Door?

 

Azure Front Door is a robust and scalable application delivery network that ensures fast and reliable access to your web services. It acts as a gateway, providing numerous benefits to enhance your web application's performance. For detailed information, check out the comprehensive Azure documentation.

 

What is the Web Application Firewall (WAF) on Azure Front Door?

 

The Azure WAF seamlessly integrates with Azure Front Door, offering centralized protection for your web applications. It actively monitors and filters incoming requests using a set of rules you define. These rules allow or block requests based on criteria like IP address, HTTP header, query string, or request body. Additionally, Azure WAF is equipped with advanced capabilities to detect and prevent common attacks such as SQL injection, cross-site scripting (XSS), CVE, and OWASP Top 10 threats.

 

Rohit_Turambekar_0-1684743961383.png

 

 

 

 

 

How do Azure Front Door and WAF work in conjunction?

 

To use Azure WAF, you need to create a WAF policy and associate it with one or more Front Door front-ends. A WAF policy consists of two types of rules: custom rules and managed rule sets.

  • Custom rules are rules that you create yourself to meet your specific application security requirements.
  • Managed rule sets are collections of pre-configured rules that are managed by Azure and updated regularly to protect against new attack signatures. You can choose from various rule sets that protect against common security threats, such as SQL injection, XSS, CVE, OWASP top 10, and Azure CDN rules engine.

 

The Azure-managed Default Rule Set (DRS) includes rules against the following threat categories:

 

  1. Cross-site scripting
  2. Java attacks
  3. Local file inclusion
  4. PHP injection attacks
  5. Remote command execution
  6. Remote file inclusion
  7. Session fixation
  8. SQL injection protection
  9. Protocol attackers

 

Custom rules can further be categorized into two types: match rules and rate limit rules.

A match rule grants you control over access to your web application based on conditions you define. For example, you can create a match rule to block requests containing specific keywords or patterns in the query string or request body. On the other hand, a rate limit rule restricts the number of requests from a particular IP address or a group of IP addresses within a specified time frame. This capability enables you to prevent denial-of-service attacks by limiting the number of requests per second from a single IP address.

 

Rohit_Turambekar_1-1684743961388.png

 

 What is the execution priority of rule sets?

 

When both types of rules are present, custom rules are processed before managed rule sets. Each rule comprises a match condition, a priority number, and an action.

The action can be one of four types: ALLOW, BLOCK, LOG, or REDIRECT.

 

- ALLOW: The request is allowed to pass through.

- BLOCK: The request is blocked, and a response code is returned.

- LOG: The request is logged without any further action.

- REDIRECT: The request is redirected to a specified URL.

 

By combining managed and custom rules, you can create a fully customized policy that aligns precisely with your specific application protection requirements. Rules within a policy are processed based on their priority order, with smaller integer values denoting higher priority. Once a rule is matched, the corresponding action defined in the rule is applied to the request. After processing such a match, rules with lower priorities are not evaluated further.

 

A web application delivered through Azure Front Door can have only one associated WAF policy at a time. However, you can have an Azure Front Door configuration without any associated WAF policies. If a WAF policy is present, it is replicated across all edge locations to ensure consistent security policies worldwide.

 

What are the two modes in which a WAF policy can be configured?

 

A WAF policy can be configured to operate in one of two modes:

 

- Detection mode: In this mode, the WAF only monitors and logs requests along with their matched WAF rules to the WAF logs. No other actions are taken.

- Prevention mode: In this mode, the WAF takes actions based on the action types defined in each rule.

 

What are the granularity settings for a WAF policy?

 

By default, a WAF policy applies to all domains associated with a Front Door profile. However, you can customize the policy to target specific domains or URL paths within a domain.

 

What are some additional features of WAF on Azure Front Door?

 

In addition to custom rules and managed rule sets, Azure WAF offers several additional features:

 

  • Exclusion Lists: Exclude specific request attributes from WAF evaluation, ensuring smooth processing of the remaining request.
  • Geo-filtering: Block or allow requests based on the geographical location of the source IP address, enabling access restrictions to specific countries or regions.
  • Bot Protection: Detect and block malicious bots using Microsoft Threat Intelligence data and machine learning models, safeguarding your web app from abuse.
  • IP Restriction: Allow or block requests based on the source IP address or a range of IP addresses, giving you control over who can access your application.
  • Rate Limiting: Throttle the number of requests per unit time, preventing excessive requests and mitigating denial-of-service attacks.
  • Tuning: Fine-tune WAF rules by adjusting parameters to reduce false positives or negatives, ensuring optimal accuracy and effectiveness. 

 

By the way, WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) service (in preview) as of writing of this blog.

 

Pricing

 

WAF pricing encompasses monthly fixed charges as well as request-based processing charges. Each policy incurs a monthly charge, and there are additional charges for Custom Rules and Managed Rule Sets configured within the policy. To obtain detailed pricing information, please refer to the pricing page.

 

By leveraging Azure Front Door and WAF, you can create a secure and high-performing web application that is effectively shielded against common threats and vulnerabilities. Furthermore, you have the flexibility to customize your WAF policy and rules to suit the specific security needs of your application.

 

For further insights into Azure Front Door and WAF, you can visit the official Microsoft Learn page at https://learn.microsoft.com/azure/frontdoor/web-application-firewall.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.