How to protect a backend Web API with WAF (No APIM)

Jag Sandhu 21 Reputation points
2022-01-17T13:18:27.187+00:00

Afternoon,

I have deployed the below MS Sample of a SPA app with an ASP.net backend API:

https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial

The only differenceis that I have deployed my static web contnent to an Azure app rather than a storage account.

I am trying to understand the best way to protect the backend API without the use of APIM (because of the premium SKU cost with Vnet Integration). Appreciate that its secured with an OAuth2 tokens from Azure AD, but how would one protect it from DDoS attacks for example.

Using the sample app above can anyone give me some pointers please - we would live to use AppGw with WAF where possible, for example can the frontend spa app and the web api be added to the backend pools of the appgw, and have a custom domains assigned with a CNAME pointing back to the AppGW?

We want to avoid costly App service plans with Vnet integration and APIM

Regards,
Jag

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
956 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,869 questions
0 comments
Accepted answer
  1. Ryan Hill 25,666 Reputation points Microsoft Employee
    2022-01-21T18:55:16.147+00:00

    Hi @Jag Sandhu ,

    You don't need the Premium v2 or higher SKU to get Regional VNet. It's available on Standard if your app service plan is on the newer scale unit; see Limitations for more details. If your plan is standard and you don't see the option, create a Pv3 plan scale it back down standard. With the regional VNet, you can restrict traffic so that your backend API only receives traffic from your front end. If all you have is a front end and backend app service within the same region, I would start there before considering adding AppGw with a WAF. I listed some additional docs:

    • Tutorial: Authenticate users E2E - If you don't have anything setup yet, this a great tutorial to start with. After completing this, just add both app services to the VNet and restrict traffic to the back end.
    • Application Gateway Integration - After completing the tutorial above, and integrating your app services within a VNet, you can add application gateway if you choose and configuring it to use service endpoints, no need to setup pools unless if you intend to use different services.
    • DDoS FAQ - If you haven't seen this yet, I encourage you to check it out. Azure services by default are protected by DDoS at an infrastructure level but not at an app service level. If you do have concerns about DDoS on your service, then adding a DDoS protection service to your AppGW and WAF is something to consider.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest