Put App Service behind Fortiweb WAF

Muzammil AbdulKareem 21 Reputation points
2022-10-04T17:46:25.183+00:00

I have WordPress App Service created from azure marketplace. I am using default domain that is myapp.azurewebsites.net.

I want to put this App Service behind Fortiweb WAF.

Is it possible!? Do I need a custom domain!?

Please advise.

Regards

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,862 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Takahito Iwasa 4,841 Reputation points MVP
    2022-10-04T22:12:35.33+00:00

    Hi, @Muzammil AbdulKareem

    I think you can

    Below is the FortiWeb for Azure documentation.
    FortiWeb works in Reverse Proxy mode when using FortiWeb-VM for Azure.

    https://docs.fortinet.com/document/fortiweb-public-cloud/6.4.0/about-fortiweb-for-azure/129542/architecture

    So, I think that you can use it if you specify the transfer destination from FortiWeb to App Service.

    In addition, App Service can be protected only from access from private VNET by using Private Endpoint.

    https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint

    Whether a Custom Domain is required depends on how FortiWeb forwards the Host header.

  2. ajkuma 22,396 Reputation points Microsoft Employee
    2022-10-06T20:11:23.353+00:00

    MuzammilAK-7543, As TakahitoIwasa mentioned it depends on the Host header, and the Fortinet document that was shared may provide some pointers.

    In typical scenarios, just to highlight on how it works with Application Gateway-

    Case 1: default domain ( ".azurewebsites")
    When App Service does not have a custom domain associated with it, the host header on the incoming request on the web application will need to be set to the default domain, suffixed with ".azurewebsites.net" or else the platform will not be able to properly route the request.

    The host header in the original request received by the Application Gateway will be different from the host name of the backend App Service.

    Case 2: In this case, you are required to have a custom domain (and associated certificate) available to avoid having to rely on the default ".azurewebsites" domain.
    By associating the same domain name to both Application Gateway and App Service in the backend pool, the request flow does not need to override the host name. The backend web application will see the original host as was used by the client.

    Kindly check this doc for additional info: Zero to Hero with App Service, Part 6: Securing your web app
    Configure App Service with Application Gateway

    0 comments
  3. MaximM 6 Reputation points
    2022-10-06T20:47:31.277+00:00

    I don't have experience with FortiWeb, but Here's how it may work with something like pFsense for example. This should be applicable to Fortiweb.

    • Fortiweb and app service both connected to subnets within the same vnet, or peered vnets. This is your Trusted Zone. App service is connected using private endpoint and gets an IP on the subnet within the vNet.
    • A Custom domain record for your users to resolve the site to the 'Public' IP of the Fortiweb. You cannot use the myapp.azurewebsites.net domain name here, that always points to your app service and is meant to be transient (MS might change the underlying IP at any time).
    • Reverse Proxy rules on the FortiWeb to publish the IP address of the app service.
    • The Fortinet should be able to be configurable to use the myapp.azurewebsites.net host header when proxying connections to the app service.
    • Alternatively add the custom domain record to your app service as well, and have the fortiweb resolve it that way (note that you'd have two records here, your public one for your users would resolve to the fortiweb public IP, while your 'private' one for your trusted zone would be for the Fortinet to resolve the app service IP that was provided by the private endpoint)

    In theory this should get you there!

    0 comments