← Back to Dashboard

Design 18: App Gateway (WAF)

Summary

This design secures web applications using Azure Application Gateway with Web Application Firewall (WAF).

Topology: The Application Gateway is deployed in a Spoke VNet. It acts as the public entry point, while the backend VMs are isolated. The Spoke is peered to the Hub VNet for management access.

1. Key Design Decisions (ADR)

ADR-01: Ingress Controller

  • Decision: Use Application Gateway (WAF v2).
  • Rationale: Provides Layer 7 load balancing, SSL termination, and protection against OWASP Top 10 attacks (SQL Injection, XSS).

ADR-02: Network Isolation

  • Decision: Deploy App Gateway in a dedicated subnet.
  • Rationale: Required by Azure. Backend VMs sit in a separate private subnet.

2. High-Level Design (HLD)

                                  (Admin Access)
                                        |
                                        v
+--------------+           +--------------------------+
|  Internet    |           |        HUB VNet          |
+------+-------+           | (Shared Services)        |
       | (HTTPS)           |                          |
       v                   |   [VPN Gateway]          |
+------+-------+           +------------+-------------+
|  App Gateway |                        |
|  (WAF)       |<-----------------------+ (Peering)
+------+-------+
       | (HTTP)
       v
+------+-------+
|  Web Tier    |
|  (VMSS)      |
+--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | VPN Gateway           |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-appgw-spoke (10.1.0.0/16)                            |
|                                                                       |
|   +---------------------------------------------------------------+   |
|   | Subnet: snet-agw (10.1.1.0/24)                                |   |
|   | NSG: nsg-agw (Allow Internet:443, Allow GatewayManager)       |   |
|   | [Application Gateway WAF v2]                                  |   |
|   +-----------|---------------------------------------------------+   |
|               |                                                       |
|               v (Allow: Source 10.1.1.0/24)                           |
|   +-----------|---------------------------------------------------+   |
|   | Subnet: snet-backend (10.1.2.0/24)                            |   |
|   | NSG: nsg-backend (Deny Internet, Allow AGW)                   |   |
|   | [VM Scale Set]                                                |   |
|   +-----------|---------------------------------------------------+   |
+---------------|-------------------------------------------------------+
                |
                | (ASR Replication)
                v
+-----------------------------------------------------------------------+
| SECONDARY REGION (West US) - DR Site                                  |
|                                                                       |
|   +-----------------------+       +-----------------------+           |
|   | ASR Vault             |       | App Gateway (Standby) |           |
|   | (Holds VM Disks)      |       | (Stopped)             |           |
|   +-----------------------+       +-----------------------+           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • WAF Policy: A separate resource containing the security rules (e.g., "Block SQL Injection"). Can be attached to multiple Gateways.

5. Strategy: High Availability (HA)

  • App Gateway: Supports Zone Redundancy. Deployed across Zones 1, 2, 3.
  • Backend: VMSS spans Zones 1, 2, 3.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Active-Passive.
  • Process:

* Deploy a "standby" App Gateway in West US (or script it to deploy on failover).

* Use Traffic Manager (Design 15) to point to East US normally.

* On failure, ASR hydrates backend VMs in West US, and Traffic Manager flips DNS to West US App Gateway.

7. Strategy: Backup

  • Config: Export WAF Policy and App Gateway ARM template.

8. Strategy: Security

  • NSG Rules: App Gateway requires specific inbound ports (65200-65535) for Azure management.
  • SSL: End-to-End SSL (Decrypt at Gateway, Re-encrypt to Backend) is best practice for Zero Trust.

9. Well-Architected Framework Analysis

  • Reliability: High. Zone redundant.
  • Security: High. WAF protects against attacks.
  • Cost Optimization: Medium. WAF v2 is ~$300/month.
  • Operational Excellence: High. Centralized certificate management.
  • Performance Efficiency: High. Offloads SSL termination from VMs.

10. Detailed Traffic Flow

1. User: Sends HTTPS request to myapp.com.

2. WAF: App Gateway inspects packet. Checks for SQL Injection.

3. Route: If safe, forwards request to Backend VM (10.1.2.4) on Port 80.

4. Response: VM responds to Gateway. Gateway encrypts and sends to User.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource Group: Create rg-appgw-spoke.

3. Name: vnet-appgw-spoke.

4. Region: East US.

5. IP Addresses: 10.1.0.0/16.

6. Subnets:

* snet-agw: 10.1.1.0/24.

* snet-backend: 10.1.2.0/24.

7. Create.

Phase 2: Peer to Hub

1. Go to vnet-appgw-spoke -> Peerings -> + Add.

2. Remote VNet: Select vnet-hub.

3. Gateway Transit: Check Use remote gateway.

4. Remote Settings: Check Allow gateway transit.

5. Add.

Phase 3: Create Public IP

1. Search: "Public IP addresses" -> + Create.

2. Name: pip-agw.

3. SKU: Standard (Required for V2).

4. Tier: Regional.

5. Create.

Phase 4: Create Application Gateway

1. Search: "Application Gateways" -> + Create.

2. Basics:

* Name: agw-prod.

* Region: East US.

* Tier: WAF V2.

* Enable autoscaling: Yes.

* Min instance count: 0. Max: 2.

* Availability zone: None (or 1, 2, 3).

3. Frontends:

* Frontend IP address type: Public.

* Public IP address: Select pip-agw.

4. Backends:

* Add a backend pool: Name pool-web. Target: No targets (Add later). Add.

5. Configuration:

* Frontends: Select Public.

* Routing rules: + Add a routing rule.

* Rule name: rule-http.

* Priority: 100.

* Listener:

* Name: listener-http.

* Frontend IP: Public.

* Protocol: HTTP (Port 80).

* Backend targets:

* Target type: Backend pool.

* Backend pool: pool-web.

* Backend settings: + Add new.

* Name: setting-http.

* Target backend protocol: HTTP. Port: 80.

* Add.

* Add.

6. Virtual Network: Select vnet-appgw-spoke -> snet-agw.

7. Review + create -> Create. (Takes 15-20 mins).

Phase 5: Deploy Backend

1. Deploy VMs: Create 2 VMs (vm-web-01, vm-web-02) in snet-backend.

2. Install Web Server: Install IIS/Nginx on both.

3. Add to App Gateway:

* Go to agw-prod -> Backend pools -> pool-web.

* Targets: Select Virtual machine.

* Target: Select vm-web-01 and vm-web-02.

* Save.

Phase 6: Verify

1. Go to App Gateway -> Overview. Copy Frontend public IP address.

2. Paste in Browser. You should see the Web Server default page.

3. Test WAF: Append /?id=1%20OR%201=1 to the URL (SQL Injection simulation).

* You should see 403 Forbidden (WAF blocked it).