How do I secure my application using application gateway? RRS feed

  • Question

  • I have a application running inside a VM. currently it's running at http://localhost:4545 

    Now I would like to expose it to internet with proper domain name as well implement load balancing with security.  So I am thinking of using Application gateway WAF

    BUT I am not finding any end to end clean tutorial or article.

    Could someone  help?

    Many Thanks Deepak

    Wednesday, May 27, 2020 9:37 AM

All replies

  • Greetings,

    Here are the core steps for setting up APPGW for your WebApp,

    1. In the Azure portal, look for Application Gateway in the services, and create a new App Gateway
    2. Then choose a virtual network where your App Gateway will be linked
    3. Then you need to create an IP public if the site needs to be publicly exposed, but you can also use a private IP
    4. Then create your first Backend pool which will contain one or more servers where the website is hosted:
    5. Add a routing rule.
    6. In the Backend target part, I created a new HTTP setting, to port 4545, in HTTP. It will be this port that will discuss with the website.
    7. In-order to expose it to the internet with custom domain name the point the public IP to the respective DNS name using Azure DNS services.

    To summarize, here are the important elements here:
    • Backend pool: contains one or more servers, on the same VNet as the App Gateway, to an On-Premises IP, etc.
    • HTTP Settings: set how to chat with the site that is backend
    • Listeners: this is where we will tell which URL we are listening to, as well as the port and the certificate, if there is one
    • Rules: the rule allows to orchestrate everything, taking the listener’s traffic, associating it with an HTTP setting, and pointing it to a backend pool
    • Health probe (optional): allows to test if a site, in a backend pool, is functional or not and if it is therefore a candidate to display the requested site

    Here is the ref doc for a glimpse.

    I would also suggest you to have a look at this article which explains about working model of an APPGW.

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

    Best regards

    Wednesday, May 27, 2020 6:26 PM
  • Great input, let me try to setup and get back with questions 

    For now, I have one question.  Do you suggest Azure Front door OR application gateway?

    Second, for now I have decided to have only one VM in backend pool.  WAF is more important requirement now.

    Many Thanks Deepak

    • Edited by Deepak RA0 Thursday, May 28, 2020 4:37 AM typo
    Thursday, May 28, 2020 4:35 AM
  • Your requirement is WAF, and it is available in AFD and AppGW. But you can use Traffic Manager as first Tier Load balancing and have AppGW in the different regions to provide high resilience/availability.

    APPGW Arch with Traffic Manager:

    Azure Traffic Manager + Application Gateways Demo Setup

    If you want users from specific country to reach nearest backend resource, it seems like, the best solution for you is AFD.
    AFD is a global Load balancer. It has WAF capability. It can Cache the data and provide quicker responses(CDN functionality). AFD uses an intelligent probing mechanism, through which it chooses the endpoint which is closer to the client who is making the request.

    AFD Architecture :

    Note: Using AFD allows to disable health probe on AFD holding single backend resource which will be saving extra bandwidth and pricing.

    If you think your question has been answered, click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

    Best regards

    Thursday, May 28, 2020 4:54 PM
  • Thanks for details with diagrams. Great.  However, I see that AFD can not have VM's in their backend pools. Is it so?

    So seems like I have to go for combination of AFD and App gateway.


    Is my understanding is right?  

    Note: I am having web application inside a VM. It's a IaaS setup. It's NOT PaaS Web App. 

    Many Thanks Deepak

    Saturday, May 30, 2020 2:34 PM
  • Hi Deepak,

    You can

    1) enable security center as well as you are running it on VM

    2) Keep your Azure VM under Vnet and expose it through gateway

    3) Enable firewall

    Also have a look at this

    -Malleswar My Channel - https://www.youtube.com/channel/UCkuE012zWq355GZUAew2THg/

    Saturday, May 30, 2020 3:09 PM