How to force traffic to an Azure web app to go through a WAF Gateway?

Question

I have an App Service as the backend of a WAF App Gateway on Azure. Apparently, the Request metric for the App Service shows much much larger values than the Total Requests metric for the WAF Gateway. Does this indicate that there is a leakage of traffic?

Do I need to do any DNS stuff with the DNS name of the public IP associated with the WAF. Note that there is a custom domain for the backend App Service. Or do I need to add the front IP of the gateway to the allow list of any network rule of the App Service's network restriction?

Thanks in advance.

Answer 1

Hello @Ijaz M

With the statements you make, it is not clear to me, how the App Service itself is configured exactly. Since there seems to be a significant difference in the metrics between WAF and App Service, I assume that there are multiple entry points.

To achieve to get all the traffic through the WAF, I suggest making the App Service private and use a private endpoint / private link.

1. Make your App Service private
2. Configure Private Endpoint / private link
3. Configure your WAF to point to the App Service Private Endpoint
4. Make sure there are no other entry points into your private network, from where you can access the Private Endpoint of your App Service

The following overview by Microsoft shows this configuration pretty good and is explained in this link on Microsoft learn.

If this answer is helpful, please accept it as the answer and upvote as a token of appreciation.
Otherwise, please do not hesitate to add some more details.

Answer 2

To manage the Azure application gateway on-demand with PowerShell, you first need to install the Az PowerShell module on your computer. This happens by starting Windows PowerShell as an administrator and running the below command.

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

After you’ve installed the Az module, you are ready to run the script below. It will first connect to your Azure subscription, prompting you for credentials. It will then get the application gateway object and check its status. If the application gateway is running and you’ve specified that you want it stopped, the script will stop the gateway. And vice versa, if the application gateway is stopped and you’ve specified that you want it up and running again, the script will start the gateway.

param(
[Parameter(Mandatory)]
[String]$subscriptionId,
[Parameter(Mandatory)]
[String]$resourceGroupName,
[Parameter(Mandatory)]
[String]$appGatewayName,
[Parameter(Mandatory)]
[Boolean]$enabled
)

Connect-AzAccount -Subscription $subscriptionId
$appGateway = Get-AzApplicationGateway -Name $appGatewayName -ResourceGroupName $resourceGroupName

if ($enabled -eq $true -and $appGateway.OperationalState -eq "Stopped") {
Write-Host "Starting the application gateway."
Start-AzApplicationGateway -ApplicationGateway $appGateway
}
if ($enabled -eq $false -and $appGateway.OperationalState -eq "Running") {
Write-Host "Stopping the application gateway."
Stop-AzApplicationGateway -ApplicationGateway $appGateway
}
view rawset-application-gateway-state.ps1 hosted with ❤ by GitHub
To execute the script, you need to provide the Azure subscription ID, the resource group name, the app application gateway name, and either $true (to start) or $false (to stop) to change the application gateway state. So, for example, to stop the application gateway, you’d run the following command in Windows PowerShell.

. "<local script file directory path>.ps1" -subscriptionId "<your subscription ID>" -resourceGroupName "<your resource group name>" -appGatewayName "<your application gateway name>" -enabled $false