How to Configure Azure Application Gateway and WAF v2

Introduction

Azure Application Gateway, functioning at layer 7, is essential for efficiently managing web traffic to your applications. This article delves into the concept and configuration of an Application Gateway, covering essential features like load balancing, SSL termination, and web application firewall (WAF) capabilities. By optimizing performance, enhancing security, and ensuring seamless access to your applications, we'll explore the robust capabilities of the Application Gateway.

Prerequisites

  1. Azure Subscription if you don’t have you can create via the link. Azure Free Account
  2. Azure VM or Web App Service (IIS or Web page)
  3. Additional Subnet for Application Gateway

Step 1. Sign in to the Azure portal.

Microsoft Azure

Step 2. Go to marketplace search Application gateway and hit on create.

Application Gateway

Step 3. In the basic tab, select your resource group and provide a name for the application gateway in my case I will use article-AppGW

  • Resource Group Article-AppGW
  • I will select the North Europe region you can choose your nearest locations as you decide.
  • In terms of tires, I will choose WAF v2.
    Create application gateway

Step 4. Kindly follow my steps for this demo, as I have configured it to avoid any conflicts.

  • Enable autoscaling: No
  • Instance count: 1
  • Availability Zone: 1,2,3 (If you want, you can choose 1)
  • HTTP2: Disabled 
  • IP Address type: IPV4

Configure Virtual Network

In terms of network, I will choose my virtual network and my app gateway subnet (App-GwSubnet) instead of my VM subnet.

Then click on Frontend IP>

Configure Virtual Network

Step 5. In the Frontend tab click Add New and then type IP name in my case AppGw-PiP, Click Next: Backend

Step 6. In the Backend, tab Click Add Backend Pool then Provide some Pool name (AppVM_Pool).

  1. Target type: Virtual machine
  2. Target: VM nic (article-vm52910.0.0.4)

Click on the Add button. 

Click Add Backend Pool then Provide some Pool name (AppVM_Pool) 

Step 7. Now Frontend and Backend are successfully configured.

Now Frontend and Backend

Step 8. Now I'm going to configure a very important area, which is routing rules.

Add a routing rule with the following specifications:

  • Rule name: RuleA
  • Priority: 100
  • Listener name: ListenerA
  • Frontend IP: Public IPv4
  • Protocol: HTTP
  • Port: 80

Please note that if you want to select HTTPS, you must have an SSL certificate installed on your application. In my case, since this is a demo environment, I don’t need to use an SSL certificate.

Add a routing rule

Step 9. Move to the Backend targets.

  1. Add Backend targets: AppVM_Pool
  2. Add Backend Settings: HttpSettings
    Add routing rule

Step 10. If you have multiple paths in your application, you can utilize path-based routing. However, in my case, I don’t have multiple paths in my application. Click: Next Tags

Path based rules

Step 11. Click Review and Create.

It might take 10-15 minutes for deployment.

Validation passed

Step 12. Successfully, my application gateway has been deployed.

My application gateway deployed

Web Application Firewall Configuration

Step 1. In the left-side pane of the Application Gateway Overview, navigate to Web Application Firewall.

It's important to note that by default, my WAF mode is set to Detection. This means that user traffic will be allowed to reach the application, but if a threat is detected, it will only be detected and not prevented. For more details, refer to the Microsoft Docs here. 

WAF Mode to set Detection

Step 2. You can use Switch to Prevention mode to set Prevention.

Prevention Mode

Step 3. You can switch to Prevention mode to enable prevention actions.

Prevention action

Step 4. Managed Rule Sets offer OWASP-verified rulesets that you can enable depending on your application's behavior. In my scenario, I'll activate all rules to assess the behavior of my default HTML page.

In Web Application firewall>Managed rules>OWASP 3.2>Expand>Select all> Enabled

Use the Docs to tune your policies: Managed Rules

Testing and Validation of Application Gateway

Step 1. First, I will browse my application using the VM's public IP instead of the application gateway's IP for testing.

Testing and validation of application gateway

Step 2: It's working properly.

Demo

Step 3. Now I’m going to browse the application using the Application Gateway's IP address instead of the VM's public IP address.

Navigate to your Application Gateway overview, and copy the IP address.

Frontend publish IP Address

Step 4. Paste the IP address into your browser's address bar and press enter. As expected, my default HTML page is functioning properly via the Application Gateway's frontend IP.

App gateway

Note. As I mentioned, my HTML pages are functioning properly without dependencies in my demo environment. However, you may encounter some 403 Forbidden errors. This depends on your application. If you encounter such errors, don't worry; you'll need to adjust certain exclusion rules.

Conclusion

I have configured and tested the Application Gateway successfully. Remember to adjust exclusion rules if you encounter 403 Forbidden errors and disassociate the VM's public IP.


Similar Articles