Azure Security: securing Azure App Services with firewalls
Security topic is a broad land in IT realm and there are several dozen topics to cover. In a series of posts, I will discuss some areas of the security in Azure and how to create a secure cloud environment inside Microsoft Azure.
In this blog post I will talk about the firewalls in Azure, specifically layer 3 and layer 7 firewalls for App Services. Azure App Services offering is a very convenient way to publish your work to the cloud and people can connect to it via public internet. So it is very important to secure this resource in different layers (Application, host, Network,…). To have a god understanding of the Azure App Service, you can check this link from Microsoft:
recently, I had a project to architect several app services inside Microsoft Azure and securing them. In this post, I want to share with you some findings during this project. As you know Microsoft Azure is a very dynamic environment and every day you see new features roll out. If you want to implement a security solution for your App Service, I strongly recommend to consult a professional and check the latest Azure docs.
To create the cloud infrastructure in Microsoft Azure, my personal preference is to use native Azure resources as much as possible and if there are shortcomings, use third party vendors. This is a theme that I use in this blog post as well.
Securing Azure App Service with firewalls
When it comes to decide the firewall options for your app service in azure, it depends that you use the normal App Service plans or App Service Environment.
App Service Environment (ASE) is a premium service from Microsoft Azure that puts your app in a secure isolated environment. Normal Azure App Services are not placed on a Virtual Network, but ASE App Services are resided on a Virtual Network. So, when we want to secure a normal app service, we do not require to use a layer 3 firewall. But for App Service Environments (ASE), we should use a layer 3 firewall in order to make the environment secure. Both App Services types can benefit from layer 7 firewalls.
As of today, the Azure Application Gateway WAF is not supported with the App services. the other option for layer 7 firewall in Azure is Barracuda WAF firewall. It seems Microsoft is working on the Application Gateway WAF to make it a supported scenario with the App Service. So in the future you may expect that you could use the Application Gateway WAF as well. In order to understand the Barracuda WAF, you can check this link:
for App Service Environments (ASE), two scenarios are involved:
· Public facing App Service Environment(ASE)
· Internal Load Balanced (ILB) App Service Environment (ASE)
To secure both of these scenarios with a layer 3 firewall, you can use Microsoft Azure NSG. To understand the NSG firewall better and how to configure it for ASE, you can check this link:
when it comes to layer 7 protection for your App Service Environment (ASE), things are a little more complicated.
For an ILB ASE, you can use Application Gateway WAF as your layer 7 firewall. Here you can find the detail configuration of the firewall:
Barracuda WAF is also a supported scenario for ILB ASE.
using the Application Gateway WAF for the external ASE is not a supported scenario from Microsoft. You have to use third party virtual appliances like the Barracuda WAF. You can find the detail configuration here:
in this blog post I have introduced you the possible firewall options to secure your Azure App Services. And also in the provided links, you can find the detail configuration for these products.