Slow application response with AAD Proxy and Application Gateway WAF

Question

Hello,

We have published internal IIS application externally through combination of Azure AD Proxy and Application Gateway WAF (sku1). The connector is on a dedicated VM in another subnet peered to IIS server subnet. Azure AD proxy has "passthrough" authentication mode, and AG/WAF is set to Prevention mode. Customer is complaining that the application has very slow response for external users.

When we bypass App Gateway with WAF completely, and just use App Proxy, the app is responsive and there are no lags whatsoever.

This combination was introduced to add additional security to published application access from Internet.

Is it possible that using this combo introduces unnecessary lag/timeouts into traffic flow that is causing slow application response?

Is there a point / is it secure enough to just use Azure App Proxy with Passthrough Auth ?

Thanks for any insights.

Michael

Basically the setup is as illustrated on this picture, except there is no AAD Auth.

Answer 1

Hello,

While Azure AD Proxy with Passthrough Auth can be a secure setup, it doesn't provide the same level of protection as a Web Application Firewall (WAF). A WAF can help protect your application from common web-based attacks such as SQL injection or cross-site scripting (XSS), which the Azure AD Proxy wouldn't be able to do.

This seems like a situation where the WAF is producing false positives because it is incorrectly interpreting your application's legitimate database queries as potential SQL Injection attacks. This is a common challenge when implementing WAFs, as they need to be finely tuned to match the behavior and characteristics of the specific applications they are protecting.

The settings and thresholds of the WAF rules can often be adjusted to reduce the number of false positives. For example, you could potentially lower the sensitivity of the SQL Injection rules, or customize them to better match the patterns of your application's database queries.

If there are specific patterns or types of requests that are consistently being flagged by the WAF but are known to be safe, you could potentially whitelist these patterns so they are not blocked by the WAF. This should be done cautiously, as overuse of whitelisting can undermine the effectiveness of the WAF.

If possible, consider revising the application code to make database queries that are less likely to trigger WAF rules. This could involve using parameterized queries or stored procedures, which are less likely to be seen as potential SQL Injection attacks.

Please note that any changes to your WAF configuration should be made cautiously, as they can potentially expose your application to increased security risks. It's always important to thoroughly test any changes and monitor their impact on both security and application performance.

Boris

Answer 2

Hi Boris,

Thank you very much for your informative reply. By simplifying setup you mean remove App Proxy completely and just leave AG and fine-tune WAF?

Client declined additional security provided by Proxy’s AAD auth and requested passthrough because the application itself uses its own login credentials. Nevertheless, I wanted to add more security by putting AG/WAF into the mix, and pointing App Proxy to AG’s internal frontend IP, but it seems that this introduced additional lag into app performance.

There is also OWASP rules issue as the app does a lot of SQL database requests and calls and WAF in prevention mode blocks all of them as ‘SQL injection’ and XSS, so I had no other option than disabling those rules.

Thanks again,

Michael