DEV Community

vaibhavi_shah
vaibhavi_shah

Posted on

Securing Your Azure Application with a Custom WAF Policy on Application Gateway

In today's digital landscape, ensuring the security of web applications is paramount. One effective way to enhance your application's security is by configuring an Azure Application Gateway with a Web Application Firewall (WAF) policy. In this blog, we'll walk through the steps to set up an Azure Application Gateway with a custom WAF policy to restrict access based on geographic regions and protect against common web vulnerabilities using managed rule sets.

What is Azure Application Gateway?

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It offers various features such as SSL termination, URL-based routing, session affinity, and most importantly, a Web Application Firewall (WAF) to protect your applications from common web vulnerabilities.

Why Use a Custom WAF Policy?

A Web Application Firewall (WAF) protects your web applications by filtering and monitoring HTTP requests. With a custom WAF policy, you can tailor the security rules to meet your specific requirements. In our case, we'll configure a WAF policy to block traffic from regions outside Japan and the US, and apply managed rule sets from Microsoft to protect against common threats.

Step-by-Step Guide to Configuring Application Gateway with Custom WAF Policy

1. Setting Up the Application Gateway

First, let's set up the Application Gateway:

  • Create an Application Gateway: In the Azure portal, navigate to "Create a resource" and select "Application Gateway". Fill in the necessary details such as resource group, name, region, and tier. Make sure to select "WAF V2" for the tier to enable the Web Application Firewall.
  • Configure Frontend IP: Choose whether you want to use a public or private IP. For this example, we'll use a public IP. Create a new public IP or select an existing one.
  • Add Listeners: Configure listeners to handle incoming traffic. For HTTPS traffic, you'll need to upload an SSL certificate in PFX format.

2. Creating a WAF Policy

Next, create a custom WAF policy:

  • Navigate to WAF Policies: In the Azure portal, search for "WAF Policies" and create a new policy.
  • Define Policy Settings: Give your policy a name and set the mode to "Prevention" to actively block detected threats.
  • Add Managed Rules: Add the managed rule sets. For our example, we'll use the Microsoft_BotManagerRuleSet_1.0 and OWASP_3.2 rule sets.
  • Create Custom Rules: Add a custom rule to block traffic from regions outside Japan and the US. Navigate to "Custom rules" and create a new rule. Set the match condition to "Geo-location" and configure it to block any requests not originating from Japan or the US.

3. Associating the WAF Policy with the Application Gateway

  • Go to Application Gateway: Navigate to your Application Gateway instance in the Azure portal.
  • Associate WAF Policy: In the WAF policy settings, associate the custom WAF policy you created earlier.

4. Updating DNS Settings

Finally, update your DNS settings to point your domain to the Application Gateway's public IP:

  • Obtain Public IP: Note the public IP address of your Application Gateway.
  • Update DNS A Record: In your domain registrar's DNS settings, update the A record to point to the Application Gateway's public IP address.

Conclusion

Configuring an Azure Application Gateway with a custom WAF policy is a robust way to secure your web applications. By blocking traffic from undesired regions and applying managed rule sets, you can significantly enhance your application's security posture. With these steps, you can ensure that your application is better protected against common threats and unwanted access.

Feel free to share your experiences or any challenges you faced while setting up your Application Gateway. Happy securing!

Top comments (0)