Protecting a webapp within a Standard App Service plan, using a virtual firewall appliance, rather than an Application Gateway

Question

We have a webapp (a REST API service) that is sitting in a S1 App Service plan. We are protecting the webapp with a WAF policy assigned to a listener on an Application Gateway v2. The WAF policy only protects this one webapp.

We have run into a problem with the way our REST service is passing data within its HTML call. The error is "413 Request Entity Too Large" that is being passed back from the Application Gateway. During investigation, we have found out that the problem resides from the "max request body size" limit in the WAF (link explaining restrictions: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration). Apparently this limit has caused many other people problems as well, as there are 585 votes for a feature improvement to allow this configuration to be greated than 128 KB (link: https://feedback.azure.com/forums/217313-networking/suggestions/33557275-azure-application-gateway-waf-mode-increase-limit).

We can "fix" this problem by turning off the request body inspection, which would disable this feature on this WAF. This is a security concern however, and we want to avoid this.

One of the solutions we are thinking about is to build a virtual firewall appliance from a vendor, and use this appliance to protect this individual webapp. The thinking is that we could find a vendor that allowed us to set the max body size to a higher limit. Assuming we can find a vendor that allows this, is it even possible in Azure? We would need a public IP assigned to this firewall appliance, and we would have to somehow route connectivity from the S1 App Service to this firewall appliance. I know the S1 VNet connectivity is limited, and this firewall appliance would obviously have to exist in a VNet. Would we have to go to an ASE in order for this to work, or could we connect a VNet to the S1 somehow?

Answer 1

Hi @RhettBlach-2169,

Assuming we can find a vendor that allows this, is it even possible in Azure?

Yes it is.

We would need a public IP assigned to this firewall appliance, and we would have to somehow route connectivity from the S1 App Service to this firewall appliance. I know the S1 VNet connectivity is limited, and this firewall appliance would obviously have to exist in a VNet. Would we have to go to an ASE in order for this to work, or could we connect a VNet to the S1 somehow?

The S1 app service plan doesn't affect the usage of a VNet. You could go with an ASE if you wanted to keep the traffic to your services isolated. I don't believe it's necessary for this case though. You can create your firewall appliance and VNet at the same time and associate your app service to the VNet afterwards.

Answer 2

Thanks for the further comment. Yes, I have looked into the VNet to App Service integration as specified here (https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#enable-vnet-integration)

But it appears that the integration only allows outbound calls from the App Service to the VNet, and not inbound calls. Here is a quote from the above link:

"VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. VNet Integration is used only to make outbound calls from your app into your VNet. The VNet Integration feature behaves differently when it's used with VNet in the same region and with VNet in other regions. The VNet Integration feature has two variations"

In our scenario, we are wanting to a build a virtual firewall appliance from a vendor, place it in the VNet, and use this appliance to protect this individual webapp. That would require inbound traffic from the internet -> VNet (w/ FW appliance) -> App Service. This inbound access doesn't appear possible, but maybe I am misunderstanding.