Module 5 - Securing your

PaaS application on Azure

Module Overview

Microsoft Confidential
Module 7 • Section 1 – DevSecOps
• Section 2 – Azure App Services Security
• Section 3 – SQL Databases Security

Microsoft Confidential
2
 Disk & Storage Encryption

Azure Antimalware

AUTOMATED OS
UPDATE/REFRESH

https://github.com/azsk/DevOpsKit
https://github.com/azsk/DevOpsKit-docs
Module 7- Securing your PaaS
application on Azure

Section 1: Azure App Services

Security

Microsoft Confidential
 443

Azure Security Center

Secure and Compliant Fabric (ISO, PCI, HIPAA, SOC Type 1 & 2, etc.)
Enable Azure Security Center
Prevention, Detection, and Remediation

Collect data and inspect your Azure environments including:

• Virtual machines
• Virtual networks
• SQL Database
• Web service (Applications)

Evaluate the current configuration against security best practices

Security center detects public endpoints open on TCP ports 443 and 80 with a listening service
and will propose a Web Application Filtering appliance deployment, if not already deployed.

Microsoft Confidential
Authenticate through Azure Active Directory
..or other established id providers

Covered in other modules in greater details.

Microsoft Confidential
Available Authentication and Authorization Methods
Below are the two main options for configuring web app external authentication:
Azure AD On-premises STS such as AD FS

• Supports popular authentication protocols, (OAuth 2.0, OpenID • AD FS topology must be deployed on-premises, with cost and
Connect, and SAML 2.0) management overhead
• Can use an Azure-only identity provider without any on-premises • Best when company policy demands that Active Directory data be
infrastructure stored on-premises
• Can also configure directory sync with an on-premises Active Directory • Only AD FS administrators can configure relying party trusts and claim
(managed on-premises) rules
• Provides SSO to all applications supported by Azure AD, including • Can manage claims on a per-application basis
Azure, Microsoft Office 365, Microsoft Dynamics CRM Online, Microsoft • Must have a separate solution for accessing on-premises Active
Intune, and thousands of non-Microsoft cloud applications Directory data through the corporate firewall
• Azure AD delegates the management of relying party applications to
non-administrator roles, while application access to sensitive directory
data must still be configured by global administrators
• Sends a general-purpose set of claim types for all relying party
applications.
• The Azure AD Graph API enables application access to directory data in
Azure AD

Microsoft Confidential
Use Azure AD for Authentication in Azure App Service
All steps needed to provision and configure Azure AD authentication for your App are
integrated in the Azure portal.
These steps include Application creation in Azure AD.

Microsoft Confidential
Alternate Authentication Providers
Alternate Authentication providers are available to authenticate your web app users
with their Microsoft Account, Facebook, Google or Twitter:

Microsoft Confidential
Enable WAF protection
• The Web Application Filtering solution helps to provide
efficient protection against SQL Injection and top 10
OWASP vulnerabilities.

• Multiple WAF solutions can be deployed to help protect

Azure Web services such as the ModSecurity module, or
third-party virtual appliances such as Barracuda, F5, and so
on.

• In some environments, manual WAF deployment can be

complex and time consuming.

• Azure Security Center makes WAF provisioning setup

straightforward by handling most of the network
configuration for you.

• Installing WAF does not harm your current setup until the
traffic is restricted (last setup step).

Microsoft Confidential
Web Application Firewall on Application Gateway
• Web application firewall (WAF) is a feature of Application Gateway that provides centralized
protection of your web applications from common exploits and vulnerabilities.

• No footprint on the servers. Integrated application acceleration features like load balancing, SSL
offloading, connection multiplexing, caching, and compression that can reduce the load on the
application servers and deliver the applications faster to clients

• Centralized logging
ModSecurity for Azure Websites
(http://www.modsecurity.org/)
• Open source, cross-platform web application firewall (WAF) module.

• Enables web application defenders to gain visibility into HTTP(S) traffic and provides a
powerful rules language and API to implement advanced protections.

• Similar to UrlScan, but ModSecurity tools support a much richer syntax for writing rules
using various operators (such as Regular Expressions) to inspect inbound and outbound
HTTP(S) data.

• Easily enabled by editing config file:

<configuration> <system.webServer> <ModSecurity enabled="true"

configFile="D:\home\site\wwwroot\secrules.conf" /> </system.webServer> </configuration>

Microsoft Confidential
ModSecurity
• Module runs within your IIS worker process on the Azure websites.

• Any throttles and restrictions that apply to your worker process are
also applicable to ModSecurity. So for the free tier, there is a cap on
CPU minutes per day consumption for your site, and these would
apply to ModSecurity running in the worker process as well

• Allow the use of a predefined updated OWASP core rule set:

http://spiderlabs.github.io/owasp-modsecurity-crs/

• Depending on how complex your rules are and what portions of the
HTTP request or response it operates on, it could have a
performance impact on your website’s performance

• Preferably, use very targeted rules to decrease the additional

overhead of matching HTTP requests and responses against your
rules

Microsoft Confidential
Protect your keys and secrets

Microsoft Confidential
 Protect your keys and secrets
• Do not check in credentials including service accounts, database connection strings
• CredScan extension is available for Visual Studio it scans code for all kind of secrets
on the fly and alerts if finds any

• Do not check in certificates even if password protected

• Other types of data might end up on GiHub, review closely before upload
• Server names
• Database names
• Table names
• Proprietary code

• Use Azure Key Vault for secrets storage and Managed Identity for authentication
(covered in other modules in greater details)
Secure DevOps Kit for Azure
The Secure DevOps Kit for Azure is a set of automation, extensions, plugins,
templates, modules, and other tools that combine to offer a security-focused
development workflow for our DevOps engineering teams working in the cloud. The
goal of the kit is to empower our teams to build and use Azure-based solutions in a
consistent, repeatable, and efficient manner with security integrated at every stage.

In a nutshell PowerShell module scanning your Azure subscription for security

misconfigurations.
Build Threat Model

• Threat Model allows software architects

to identify and mitigate potential
security issues early, when they are
relatively easy and cost-effective to
resolve.
• It greatly reduces the total cost of
development.
 Threat Modeling Tool

• Microsoft released free-to-use Threat Modeling Tool which allows you to

build a model of your app and generate initial set of threats.
• Threat Modeling Tool has native
support for Azure Components
and generates corresponding
threats.

• TMT uses STRIDE model for

threat categorization.

https://docs.microsoft.com/en-us/azure/security/azure-security-threat-modeling-tool-getting-started
Encrypt all network traffic
When using the default public *.azurewebsites.net
domain name created for your App Service app,
you can immediately use HTTPS, as an SSL
certificate is provided for all *.azurewebsites.net
domain names.

If your site uses a custom domain name, you can

upload an SSL certificate to enable HTTPS for the
custom domain.

Enabling HTTPS can help protect against MITM

attacks on the communication between your app
and its users.

Microsoft Confidential
Choose SSL Types
IP-Based SSL (Legacy) Server Name Indication (SNI)-Based SSL (Default)

contoso.azurewebsites.net fabrikam.azurewebsites.net contoso.azurewebsites.net fabrikam.azurewebsites.net

Reserved Public IP Address Reserved Public IP Address Dynamic Public IP Address

Web App Server Web App Server

•IP-based SSL associates a certificate with a single domain name by mapping the dedicated public IP address of the server to the
domain name. Each domain name, such as contoso.com or fabricam.com, must be associated with a dedicated IP address

•SNI based SSL is an extension to SSL and Transport Layer Security (TLS) that allows multiple domains to share the same IP
address, with separate security certificates for each domain.
Most modern browsers (including Microsoft Internet Explorer, Google Chrome, Mozilla Firefox, and Opera) support SNI. However,
older browsers might not support SNI
Microsoft Confidential
SSL Certificates Requirements
The certificate must meet the following requirements for SSL certificates in Azure:

• The certificate must be signed by a trusted CA (no private CA servers).

• The certificate must contain a private key
• The certificate must be created for key exchange, exportable to a Personal Information Exchange
(.pfx) file
• The certificate's subject name must match the domain used to access the app
• If you need to serve multiple domains with this certificate, you can use a wildcard value or specify
subjectAltName values.
• The certificate should use a minimum of 2048-bit encryption

• Certificates issued from private CA servers are not supported by Azure App Service

Microsoft Confidential
SSL Certificates
o Azure App Service Certificate allows you to purchase and
manage SSL certificates within a few minutes. Some of the
key features include:

• Secure one web app (root domain and WWW)

• Secure one web app and all its sub-domains (Wildcard SSL)
• 1 Year validity with auto renewal
• A Domain Validated Certificates with simple validation
process
• By default, certificate secrets are stored in Azure Key Vault
• SHA-2 and 2048-bit encryption – the strongest on the market
• Compatible with all major browsers

o Store the Certificate in Azure Key Vault

o Assign a Certificate to the App Service App

Microsoft Confidential
Enforce HTTPS
o URL Rewrite module to enforce HTTPS
Azure Web Services does not enforce HTTPS. Visitors might still access your app by using HTTP, which might
compromise your app's security.
If you want to enforce HTTPS for your app, you can use the URL Rewrite module, which is included with the Azure
web role and Web App feature of the App Service.
It enables you to define rules that are applied to incoming requests before the requests are handed to your
application. It can be used for applications written in any programming language supported by Azure.

o Enable HTTP Strict Transport Security (HSTS)

HSTS is a way to keep you from inadvertently switching away from SSL after you have visited a site by using HTTPS.
When enforcing HTTPS, the first user connection attempt made over HTTP is redirected to HTTPS.
Sometimes a developer might miss a conditional loop statement and leave some “last resort” hardcoded
redirection to HTTP in the website code, which can lead to a HTTP reroute.
You need to redirect users at least once, over HTTPS and every subsequent time.

https://social.technet.microsoft.com/wiki/contents/articles/32229.azure-create-an-url-rewrite-azure-web-app.aspx
Microsoft Confidential
Enforce HTTPS
Azure Web Services does not enforce HTTPS. Visitors might still access your app by using HTTP, which might compromise your
app's security.

If you want to enforce HTTPS for your app, you can use the URL Rewrite module, which is included with the Azure web role and
Web App feature of the App Service.

It enables you to define rules that are applied to incoming requests before the requests are handed to your application.

It can be used for applications written in any programming language supported by Azure.
<?xml version="1.0" encoding="utf-8"?> 1. Create an Azure Web app
<configuration>
<system.webServer> 2. Configure the Azure Web app
<rewrite> 3. Create the URL Rewrite Configuration file
<rules> 4. Upload the configuration file to the Azure
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" /> Web app
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

https://social.technet.microsoft.com/wiki/contents/articles/32229.azure-create-an-url-rewrite-azure-web-app.aspx
Microsoft Confidential
Enable HTTP Strict Transport Security (HSTS)
HSTS is a way to keep you from inadvertently switching
away from SSL after you have visited a site by using HTTPS. <?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
When enforcing HTTPS, the first user connection attempt <rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
made over HTTP is redirected to HTTPS. <match url="(.*)" />
<conditions>
Sometimes a developer might miss a conditional loop <add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
statement and leave some “last resort” hardcoded <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
redirection to HTTP in the website code, which can lead to </rule>
</rules>
a HTTP reroute. <outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
You need to redirect users at least once, over HTTPS and <conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
every subsequent time. </conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

Microsoft Confidential
Restrict incoming source IP addresses

https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Microsoft Confidential
 Publishing through Secure File Transfer Protocol
Azure App Service provides improved security to access your app file system through FTPS

This allows you to access the application code on the web app as well as diagnostics logs. It is recommended that you always use
FTPS instead of FTP.

The FTPS link for your app can be found with the following steps:

1.Open the Azure Portal

2.Select Browse All
3.From the Browse blade, select App Services
4.From the App Services blade, select the desired app
5.From the app's blade, select All settings
6.From the Settings blade, select Properties
7.The FTP and FTPS links are provided on the Settings blade

FTP/FTPS and Git credentials need to be set through the management interface in the portal

Microsoft Confidential
Perform Penetration Testing on Your App

Microsoft Cloud Unified Penetration Testing Rules of Engagement

Open Web Application Security Project (OWASP)

top 10 vulnerabilities
Fuzz testing
Port scanning

Denial of Service (DoS)

Vulnerability scanning of Your App

https://www.tinfoilsecurity.com/azure

https://community.qualys.com/docs/DOC-5552

https://freescan.qualys.com/freescan-front/module/freescan/#dashboard

https://www.qualys.com/customers/success-stories/reining-in-global-web-application-security-risk-at-
microsoft/
Module 5 - Securing your PaaS
application on Azure

Section 3: SQL Databases

Security

Microsoft Confidential
Security for Azure SQL

Responsibility Key
Enable SQL Advanced Threat Protection

35
SQL ATP: Data discovery and classification
SQL ATP: Data discovery and classification
• To download a report in Excel format

• To begin classifying your data

• To view the list of recommended column classifications

SQL ATP: Data discovery and classification
• Review the list of recommendations
SQL ATP: Data discovery and classification
• You can also manually classify columns as an alternative
SQL ATP: Data discovery and classification
• Audit access to sensitive data
SQL ATP: Vulnerability assessment
SQL ATP: Vulnerability assessment
• Analyze the results and resolve issues
SQL ATP: Vulnerability assessment
• Set your baseline
SQL ATP: Vulnerability assessment
• Run a new scan to see your customized tracking report

• Set up periodic recurring scans

• View scan history and export reports

SQL ATP: Threat Detection
SQL ATP: Threat Detection Alert Example
Enable SQL Auditing
• SQL Auditing can be enabled server-wide or for particular database
Specify logging path and retention settings
LAB
Securing PaaS deployments
Securing PaaS web and mobile applications using
SQL Database and SQL Data Warehouse
Securing PaaS web and mobile applications using
Azure App Services
SQL Information Protection
Microsoft Confidential
Appendix: Azure App Service
Web Security Risks
Azure App Service
• PaaS offering that lets you create web and mobile apps for any platform or device and connect to
data anywhere
• Includes new capabilities for automating business processes and hosting cloud APIs

https://docs.microsoft.com/en-us/azure/
Microsoft Confidential
Azure App Service
Microsoft Azure Platform as a Service (PaaS) services intended to facilitate web services
deployment in the Cloud

Web Apps feature of Mobile Apps feature of API Apps feature of Logic Apps feature of
Azure App Service. Azure App Service. Azure App Service. Azure App Service.
The Web Apps feature of The Mobile Apps feature of The trial experience of the API The Logic Apps feature of
Azure App Service enables Azure App Service makes it Apps feature of Azure App Azure App Service allows
developers to easily deploy convenient to add login, push, Service is not here yet, but developers to design workflows
and scale enterprise-grade and data sync to your iOS, you can still create API Apps that start from a trigger and
web applications written in a Android, or Windows app, to by signing up for a free 30- then execute a series of steps,
variety of languages and scale globally, and to connect day trial which enables the each invoking an App Service
integrated with a multitude of your app to enterprise creation of up to 10 apps of API App while securely taking
services without ever systems and on-premises any type care of authentication and best
worrying about infrastructure resources practices such as check
management pointing and durable execution

Microsoft Confidential
Azure App Service Characteristics
• Apps are isolated from the Internet and other tenants’ Azure resources

• Communication of secrets (such as connection strings) between your App and other Azure resources
(such as Azure SQL Database) in a resource group stays within Azure and does not cross any network
boundaries. Secrets are always encrypted

• All communication between your App Service app and external resources, such as Windows
PowerShell management, command-line interface, Azure software development kits (SDKs), REST
APIs, and hybrid connections, are properly encrypted

• 24-hour threat management helps to protect the App Service resources from malware, distributed
denial-of-service (DDoS), man-in-the-middle (MITM), and other threats

• Refer to the Azure Trust Center for detailed infrastructure security measures

Microsoft Confidential
 App Service Environment
The Premium service plan option of Azure App Service that provides a fully isolated and dedicated
environment for securely running Azure App Service apps at high scale, including Web Apps, Mobile
Apps, and API Apps

App Service Environments are ideal for application

workloads requiring:

• High scalability
• Isolation and secure network access

https://azure.microsoft.com/en-us/blog/introducing-app-service-environment/
Microsoft Confidential
 App Service Environment (ASE)
• Isolated runtime environment deployed Virtual Network : 10.0.0.0/16 (10.0.0.0 -> 10.0.255.255 )

into a virtual network. ASE Subnet: 10.0.200.0/28 (10.0.200.0 -> 10.0.200.15) BackEnd Subnet-1 : 10.0.100.0/24
(10.0.100.0 -> 10.0.100.255)
• Layered security architecture providing
App Service Environment
IaaS VM1

differing levels of network access for each Worker Pool 1

Private IP Address :
Azure Internal Load Balancer 10.0.100.4

physical application tier

Private IP Address :
Compute Resources 10.0.100.10 TCP
NSG NSG 1452
App Service
• NSGs can be used on subnets containing Plans
SQL Always On Cluster

App Service Environments to restrict access

Scenario

TCP 1452 TCP

Public VIP NSG
Private or Public Front End IP Address Front End Pool 1452
• Compute Resources
Availability Set IaaS VM2
Web Apps
Private IP Address :
InternetTCP 443 SSL Termination 10.0.100.5
Worker Pool 2
Load Balancing
Incoming
• Compute resources assigned to an ASE are Traffic Private IP
Compute Resources
App Service
BackEnd Subnet-2 : 10.0.101.0/24
dedicated to a customer (not shared across Address Plans
IaaS VM3
Private IP Address :

multiple subscriptions) NSG NSG 10.0.101.4

TCP
27017 MongoDb
Replica Set
Web Apps TCP 27017
Worker Pool 3
IaaS VM4
Private IP Address :
10.0.101.5

Microsoft Confidential
Network Ports Used in an App Service Environment
Before locking down inbound network traffic with a NSG, it is important to know the set of required and
optional network ports used by an App Service Environment

Accidentally closing off traffic to some ports can result in loss of functionality in an App Service
Environment
Port Desc. Action
454 Required port used by Azure infrastructure for Do not block traffic to this port
managing and maintaining App Service Environments
455 Required port used by Azure infrastructure for Do not block traffic to this port
managing and maintaining App Service Environments
80 Default port for inbound HTTP traffic to apps running in -
App Service Plans in an App Service Environment
443 Default port for inbound SSL traffic to apps running in -
App Service Plans in an App Service Environment
21 Control channel for FTP This port can be safely blocked if FTP is not being used
10001-10020 Data channels for FTP As with the control channel, these ports can be safely blocked if FTP is not being used
4016 Used for remote debugging with Visual Studio 2012 This port can be safely blocked if the feature is not being used
4018 Used for remote debugging with Visual Studio 2013 This port can be safely blocked if the feature is not being used
4020 Used for remote debugging with Visual Studio 2015 This port can be safely blocked if the feature is not being used

Microsoft Confidential
App Service Environment Outbound Network Addresses
When an App Service Environment makes outbound calls, an IP Address is always associated with the
outbound calls. The specific IP address that is used depends on whether the endpoint being called is
located within the virtual network topology, or outside of the virtual network topology

If the endpoint being called is outside of the virtual

network topology, then the outbound address (also
called the outbound NAT address) that is used is the
public VIP of the App Service Environment

This address can be found in the portal user interface

for the App Service Environment in Properties blade

Microsoft Confidential
ASE Outbound connectivity requirements
There are network connectivity requirements for App Service Environments that may not be initially met in a virtual network
connected to an ExpressRoute. App Service Environments require all of the following in order to function properly:
Azure Storage endpoints
o Outbound network connectivity to Azure Storage endpoints worldwide on both ports 80 and 443.
This includes endpoints located in the same region as the App Service Environment, as well as storage endpoints located in other Azure regions.
Azure Storage endpoints resolve under the following DNS domains: table.core.windows.net, blob.core.windows.net, queue.core.windows.net and file.core.windows.net.
o Outbound network connectivity to the Azure Files service on port 445.

Sql DB endpoints
o Outbound network connectivity to Sql DB endpoints located in the same region as the App Service Environment.
SQL DB endpoints resolve under the following domain: database.windows.net. This requires opening access to ports 1433, 11000-11999 and 14000-14999. For more details see
this article on Sql Database V12 port usage.

Azure management plane endpoints

o Outbound network connectivity to the Azure management plane endpoints (both ASM and ARM endpoints).
This includes outbound connectivity to both management.core.windows.net and management.azure.com.
o Outbound network connectivity to ocsp.msocsp.com, mscrl.microsoft.com and crl.microsoft.com. This is needed to support SSL functionality.

DNS configuration
The DNS configuration for the virtual network must be capable of resolving all of the endpoints and domains mentioned in the earlier points.
If these endpoints cannot be resolved, App Service Environment creation attempts will fail, and existing App Service Environments will be marked as unhealthy.
o Outbound access on port 53 is required for communication with DNS servers.
If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet containing the App Service Environment.

Note : The outbound network path cannot travel through internal corporate proxies, nor can it be force tunneled to on-premises. Doing so changes the effective NAT address of outbound network
traffic from the App Service Environment. Changing the NAT address of an App Service Environment's outbound network traffic will cause connectivity failures to many of the endpoints listed above.
This results in failed App Service Environment creation attempts, as well as previously healthy App Service Environments being marked as unhealthy.
IP and Domain Restrictions
Control the set of IP addresses, and address ranges, that are either allowed or denied
access to the websites, through the web.config file located in the website.

Access can be restricted by using the <ipSecurity> element and providing a list of IP
address to allow.

*The full documentation on the <ipSecurity> element is available on the IIS Configuration
Reference.

Microsoft Confidential
Dynamic IP Address Restrictions (DIPR)
The DIPR feature provides two main protections for developers:

• Blocking of IP addresses based on the number of concurrent requests

• Blocking of IP addresses based on the number of requests over a period of time

Developers can additionally configure DIPR behavior such as the type of failure HTTP status code sent back on
blocked requests.

In Azure Web Apps, a developer configures DIPR using configuration sections added to the web.config file
located in the root folder of the website.

Microsoft Confidential
TLS Mutual Authentication for Web App
You can restrict access to your Azure web app by enabling different types of authentication for it.
One way to do so is to authenticate using a client certificate when the request is over TLS/SSL. This mechanism is called TLS
mutual authentication or client certificate authentication.

To set up your web app you need to add the clientCertEnabled site setting for your web app and set it to true

This setting is not currently available through the Azure Portal. The REST API will need to be used to accomplish this
You can use the ARMClient tool to make it easy to craft the REST API call. After you log in with the tool, you will need to issue the
following command:

ARMClient PUT subscriptions/{Subscription Id}/resourcegroups/{Resource Group Name}/providers/Microsoft.Web/sites/{Website Name}?api-

version=2015-04-01 @enableclientcert.json –verbose
replacing everything in {} with information for your web app and creating a file called enableclientcert.json with the following JSON
content:
{ "location": "My Web App Location",
"properties": {
"clientCertEnabled": true } }

Microsoft Confidential
SSL Offloading with Azure Application Gateway
Microsoft Azure Application Gateway provides an Azure-managed HTTP load-balancing solution based
on layer-7 load balancing.

Application load balancing permit to create routing rules for network traffic based on HTTP. The
Application Gateway service is highly available and metered.

Azure Application Gateway currently supports the layer-7 application delivery for the following:

•HTTP load balancing

•Cookie-based session affinity
•Secure Sockets Layer (SSL) offload
•URL-based content routing

Microsoft Confidential
Checking IIS Log
IIS logs shows HTTP POST requests. HTTP POST content is not stored in IIS logs.

Microsoft Confidential
Azure Application Gateway
Application Delivery Controller (ADC) as a service.
Providing layer 7 load balancing. Hosted by a set of PaaS instances that use ARR to route the
traffic to the backend VMs

“Standard” Tier :
• Application Request Routing
• Rule based routing
• Load balancing of HTTP server requests
• Web application scalability

“WAF” Tier (Preview):

• ModSecurity WAF
• Protection against Top 10 OWASP vulnerabilities https://www.owasp.org

Microsoft Confidential
Azure Application Gateway Overview
Public Azure Application Gateway

AAG Node 1
TCP 443

TCP 443
Internet TCP 443 TCP 443 Private or Public
AAG Node 2
IP Address or
Public IP Address DNS name
Public DNS Name External Load
Balancer

TCP 443 AAG Node x

Private Azure Application Gateway

AAG Node 1
TCP 443

TCP 443
TCP 443 TCP 443 Private or Public
AAG Node 2
IP Address or
Private IP Address DNS name
Private DNS Name Internal Load
Balancer

TCP 443 AAG Node x

SSL Offload

unencrypted

Azure Application Gateway

AAG Node 1
TCP 443
Internet

TCP 443 TCP 443 Private or Public

AAG Node 2
IP Address or
HTTPS (TCP 443) Public IP Address DNS name
Public DNS Name External Load
Balancer
HTTP TCP 80
TCP 443 AAG Node x
 re-encrypt

Azure Application Gateway

AAG Node 1
TCP 443
Internet

TCP 443 TCP 443 Private or Public

AAG Node 2
IP Address or
HTTPS (TCP 443) Public IP Address DNS name
Public DNS Name External Load
Balancer

TCP 443 AAG Node x HTTPS TCP 443

Azure Application Gateway WAF Overview

Application Gateway pre-configured with Modsecurity and OWASP Core

Rules Set.

https://github.com/SpiderLabs/owasp-modsecurity-crs
 Protecting Multiple Sites with multi-site routing
Site routing based on host header
webapp01.contoso.com = 52.169.212.246 webapp01.contoso.com = 10.5.1.8 (A)
webapp02.fabrikam.com = 52.169.212.246 webapp02.fabrikam.com = 10.6.1.8 (A)
Public DNS Servers Azure DNS or Custom (VNET/Nic) DNS Servers

Who is : webapp01.contoso.com ?
Who is : webapp02.fabrikam.com ?
Internet Who is : webapp01.contoso.com ? Azure Application Gateway WebApp01.contoso.com
Who is : webapp02.fabrikam.com ?
(BackEndPool01)
TCP 443 10.5.1.8
AAG Node 1
TCP 443
https://webapp01.contoso.com
Outbound Private Connectivity through
52.169.212.246
TCP 443 TCP 443
AAG Node 2 VNET Routing (VNET Peering , S2S , ExR )
Public Ip /
Address External Load Outbound Public Connectivity through
https://webapp02.fabrikam.com Balancer
primary Public Ip Address (52.169.212.246)
TCP 443 AAG Node x

Multi-site Listener + Basic Rule WebApp02.fabrikam.com

(HTTP HOST Header based routing) (BackEndPool02)
TCP 443 10.5.1.8
https://webapp01.contoso.com BackEndPool01 webapp01.contoso.com
https:// webapp02.fabrikam.com BackEndPool02 webapp02.fabrikam.com
 Protecting Multiple Sites with URL path based routing
Site routing based on URL path
webapp.contoso.com = 52.169.212.246 webapp01.contoso.com = 10.5.1.8 (A)
webapp02.fabrikam.com = 10.6.1.8 (A)
Public DNS Servers Azure DNS or Custom (VNET/Nic) DNS Servers

Who is : webapp01.contoso.com ?
Who is : webapp02.fabrikam.com ?
Internet Who is : webapp.contoso.com ? Azure Application Gateway WebApp01.contoso.com
(BackEndPool01)
TCP 443 10.5.1.8
AAG Node 1
TCP 443
https://webapp.contoso.com/App1 *Website SSL Certificate and HTTPS listener
must be configured to accept inbound
TCP 443 TCP 443 requests for : https://webapp.contoso.com/App1
52.169.212.246 AAG Node 2
Public Ip
External Load *Website SSL Certificate and HTTPS listener
Address
https://webapp.contoso.com/App2 Balancer must be configured to accept inbound
AAG Node x requests for : https://webapp.contoso.com/App2
TCP 443

Multi-site Listener + Basic Rule WebApp02.fabrikam.com

(HTTP HOST Header based routing) (BackEndPool02)
TCP 443 10.5.1.8
https://webapp.contoso.com/App1/ Default Backend Pool BackEndPool01 webapp01.contoso.com
https://webapp.contoso.com/App2/ Backend Pool 02 BackEndPool02 webapp02.fabrikam.com

*URL rewrite is not yet supported at this time (Feb17)

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-
portal

https://github.com/Azure/azure-quickstart-templates/tree/master/101-application-gateway-create

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-arm
Application Gateway deployed in its own VNET.

VNETAAG 10.210.0.0/24 VNETWeb01 10.10.0.0/16

Subnet1-AAG01 10.210.0.0/26 Subnet-ASE01 10.10.0.0/24 Subnet-DB02 10.10.1.0/24

Node 1 DBVM01
Application Service Environment

Internal Load 10.10.1.4

External Load TCP 443
Balancer (ILB)
Internet Balancer Node 2 TCP 443

TCP 443
WebApp 01

Node 3 ASE ILB 10.10.1.50 DBVM02

40.114.252.13 10.5.1.8
TCP 443
Public IP 10.10.1.5
Address Allow HTTPS IN from 10.210.0.0/26
Node 4

VNET Peering / S2S VPN

 Azure Application Gateway

AAG Node 1 Application Service Environment

TCP 443

TCP 443 TCP 443

Internet
WebApp 01
Public Ip Address
External Load
Balancer TCP 443 ASE ILB
10.5.1.8
TCP 443
AAG Node 2

FrontEnd IP configuration Listener HTTP Settings BackEndPool = Rule

1 2 3 4 5
o Back-end Address Pool: The list of IP/FQDN addresses of the back-end servers –
may either belong to the virtual network subnet or should be a public IP/VIP.
o HTTP Settings: These are the settings like port, protocol, and cookie-based affinity
for the backend pool and would be applied to all backend servers within the pool.
o Front-end IP Configurations: The front-end IP/DNS name for the Application
Gateway
o Listener: The listener consists of the front-end port, protocol, the SSL certificate
name (for SSL offload) and a rule to streamline the traffic to the backend.
o Rule: When an Application Gateway URL is browsed, a corresponding listener gets
invoked. The listener then follows the routing logic as defined by the Rule. The rule
binds the listener, the back-end pool and the HTTP settings to route the incoming
traffic based on the path being browsed.
o Probe: Checks the liveliness/availability of the backend VMs in the backend pool.
Appendix: Logging and
Monitoring
Enable Diagnostics Logging for the Web Apps
Feature in Azure App Service
Azure provides built-in Web server diagnostics and application diagnostics that you
can enable to assist with debugging a web app.

Web server diagnostics

• Detailed Error Logging: Detailed error information for HTTP status codes that
indicate a failure (status code 400 or greater)
• Failed Request Tracing: Detailed information on failed requests, including a trace
of the IIS components used to process the request and the time taken in each
component
• Web Server Logging: Information about HTTP transactions using the W3C
extended log file format

Microsoft Confidential
Enable Diagnostics Logging for the Web Apps
Feature in Azure App Service (cont.)
Application diagnostics
Application diagnostics allows you to capture the information produced by a web application.
ASP.NET applications can use the System.Diagnostics.Trace class to log information to the
application diagnostics log. For example:

System.Diagnostics.Trace.TraceError("If you're seeing this, something bad happened");

At runtime, you can retrieve these logs to help with troubleshooting

The Web Apps feature in Azure App Service also log deployment information when you publish
content to a web app
This happens automatically and there are no configuration settings for deployment logging

Microsoft Confidential
How to enable diagnostics

Note:
Unlike changing the web.config file, enabling
Application diagnostics or changing diagnostic
log levels does not recycle the app domain
that the application runs within

Microsoft Confidential
Download and Stream logs
Diagnostic information stored to the web app file system can be accessed directly by using FTP
It can also be downloaded as a Zip archive by using Azure PowerShell or the Azure Command-Line Interface.

To stream logging information, start a new instance of Azure PowerShell, and use the following command:

• Get-AzureWebSiteLog -Name webappname -Tail

To filter specific events, such as errors, use the -Message parameter.

For example:

• Get-AzureWebSiteLog -Name webappname -Tail -Message Error

To filter specific log types, such as HTTP, use the -Path parameter.
For example:

• Get-AzureWebSiteLog -Name webappname -Tail -Path http

To see a list of available paths, use the -ListPath parameter

Microsoft Confidential
Microsoft Visual Studio Application Insights
View logs in Microsoft Visual Studio Application Insights

Application Insights provides tools for filtering and searching logs, and for correlating the logs with requests and other
events

1. Add the Application Insights SDK to your project in Visual Studio

In Solution Explorer, right click your project, and then choose Add Application Insights
You will be guided through the steps that include creating an Application Insights resource.

2. Add the Trace Listener package to your project.

Right-click your project and choose Manage NuGet Packages.
Select Microsoft.ApplicationInsights.TraceListener

3. Upload your project and run it to generate log data

4. In the Azure Portal, browse to your new Application Insights resource, and open Search.
You will see your log data, along with request, usage, and other telemetry.
Some telemetry might take a few minutes to arrive. Click Refresh to learn more

Microsoft Confidential
Application Gateway Access Log

Application Gateway Performance Log

Application Gateway Firewall Log