Securing App Service or Website using FrontDoor or ApplicationGateway (WAF)?

Question

In the Azure platform, I have deployed some websites using the App Service. Most of them are public / customer-facing.e.

How can I secure those websites from malicious attacks of any form?

Which technology shall I use Azure FrontDoor, Azure Application Gateway (WAF) or both at once?

Where available, what will the implementation plan look like?

I would greatly appreciate any help or suggestions you may have.

Answer 1

It doesn't serve any purpose to use both services for WAF as it is the same in each. You should pick the one that's best suited to your app.

I would also suggest that you look at the other features offered by both services to ascertain which other features would be beneficial.

A key part of this design decision would be if you are, or planning to run your apps in multiple regions. If so then you'll find Azure Front Door is a better fit, as Application Gateway would need to be created twice (in both regions).

Answer 2

Hello @EnterpriseArchitect ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know how you can secure App services from malicious attacks of any form and should you use Azure Front Door or Azure Application Gateway (WAF) or both at once.

For a detailed Security overview in Azure App Service, you can refer the below docs:

https://learn.microsoft.com/en-us/azure/app-service/overview-security

https://azure.github.io/AppService/2020/08/14/zero_to_hero_pt6.html

For web workloads, we highly recommend utilizing Azure DDoS protection and a web application firewall to safeguard against emerging DDoS attacks. Another option is to deploy Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks.

Refer: https://learn.microsoft.com/en-us/azure/app-service/overview-security#ddos-protection

So, you have 2 options:

• Either go with Azure DDoS protection and an Application gateway web application firewall (WAF).

Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures#paas-web-application

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/apps/fully-managed-secure-apps

• Or go with Azure Front Door WAF.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-waf

Azure Front Door has several features and characteristics that can help to prevent distributed denial of service (DDoS) attacks.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-ddos

Azure Front Door WAF and Azure App Gateway WAF are very similar in functionality, one of the main differences is where the WAF is applied.

Azure Front Door applies the WAF filters at edge locations, way before it gets to the datacenter. App Gateway applies the filter when it enters your VNET via the App Gateway. Because Azure Front Door is a global load balancer and Azure application gateway is a regional load balancer.

So, you need to choose between the 2 from an application delivery perspective, and then apply whichever WAF you choose.

• If your webapps are in a single region, App Gateway WAF with DDOS protection will be the best choice.
• For a multi-regional deployment or global route filtering, Azure Front Door WAF will be the best choice.

For WAF pricing, you can refer the below doc:

https://azure.microsoft.com/en-us/pricing/details/web-application-firewall/

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.