Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

[Azure] Deploy an Application Gateway to protect your Web Apps

  • September 26, 2019
  • 8 min read
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.


Microsoft Azure
If you want to migrate IIS / Apache servers to Azure, and expose the sites publicly, you will need to protect these sites, as you do On-Premises. To do this, Microsoft has provided a PaaS service, the Application Gateway, which allows load-balancing traffic on the 80 and 443 web ports directly to one or more servers. Based on an URL, which will point to the public IP of the App Gateway, the listener that will be configured, will redirect the traffic, according to a defined rule, to a VM, an On-Premises server or a VMSS:

Migrate IIS / Apache servers to Azure

This service can also act as a Web Application Firewall (WAF) to protect against attacks, but also SSL Offloading, to only provide traffic on port 443, with an SSL certificate, and then, redirect internal traffic to another port, for example 8081.

Web Application Firewall (WAF)

The advantage of this solution is that it is easy to set up and easy to manage. You will find all the necessary information for the App Gateway here: https://docs.microsoft.com/en-us/azure/application-gateway/overview

Here, we’ll just deploy an App Gateway + WAF. In the following article, we will see the configuration of the App gateway/WAF. I have already deployed an IIS server, which listens on port 8081, in HTTP:

IIS server

In the Azure portal, look for Application Gateway in the services, and create a new App Gateway. Here, I will choose the tier WAF V2 because it presents the fact of applying the changes much faster than the v1, among others. I disable here the auto scaling, and I choose 2 nodes, which is the minimum. Then choose a virtual network where your App Gateway will be linked:

WAF V2

Then you need to create an IP public if the site needs to be publicly exposed, but you can also use a private IP:

Create an IP public

Then create your first Backend pool which will contain one or more servers where the website is hosted:

Create your first Backend pool

Then you have to add a routing rule. Give him a name (I usually give the name of the site that will be used by this rule). In this rule, there will be a listener, on port 443 in HTTPS, with a certificate (PFX mandatory), of type multi-site:

Add a routing rule

In the Backend target part, I created a new HTTP setting, to port 8081, in HTTP. It will be this port that will discuss with the website:

HTTP setting

Finally, to finish, choose the backend you created before and the HTTP Setting created just before:

Choose the backend you created

You now have everything you need to get through the deployment:

Create an application gateweay

You can deploy your App Gateway/WAF:

Deploy your App Gateway/WAF

To summarize, here are the important elements here:

  • Backend pool: contains one or more servers, on the same VNet as the App Gateway, to an On-Premises IP, etc.
  • HTTP Settings: set how to chat with the site that is backend
  • Listeners: this is where we will tell which URL we are listening to, as well as the port and the certificate, if there is one
  • Rules: the rule allows to orchestrate everything, taking the listener’s traffic, associating it with an HTTP setting, and pointing it to a backend pool
  • Health probe (optional): allows to test if a site, in a backend pool, is functional or not and if it is therefore a candidate to display the requested site

The App Gateway is deployed and configured. I created my record azure.florentappointaire.cloud in my DNS, pointing it to the public IP of the WAF.

The App Gateway is deployed and configured

If I am now browsing https://azure.florentappointaire.cloud I should be redirected to my IIS server:

IIS server

Here, I am in HTTPS, while my site is configured in HTTP. Note that if you have NSGs that are applied to your subnets / network cards, you will have to open port 8081 for example in the NSG of the IIS server and 443 in the one of the App Gateway.

You can also test the security of your WAF, using the Microsoft Security Risk Detection tool: https://www.microsoft.com/en-us/security-risk-detection/

If you have any questions, do not hesitate to contact me 🙂

Hey! Found Florent’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!