If security is a concern, is a web server vm the only option? Azure App Service would minimize your attack surface by removing the OS and you can attach WAF as complimentary service.
Otherwise, there is Azure Firewall, Web Application Firewall, or Web Application Gateway available at multiple SKUs