![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 90%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
689 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
@KaisMalique-9406, Thanks for the question!
I believe you have already checked this article - Securing your web app, which provides a reference architecture with the combination of the services (WAF/AGW/Front Door). To have a more intricate secure WebApp the combination of the services mentioned/features needs to be leveraged.
I understand you have already evaluated the preview features of the services. Yes, certain features (only) on WAF/AGW, Front Door are in preview, but mix of Services without preview features does provide high degree of protection which can be tailored as per the needs.
Highlighting some best practices guidelines from App Service perspective.
I'll open this-up for targetted experts from the other tags (services) to share their insights, esp on the preview features.
Your question is more broad on WebApp security, more specifics on your WebApp requirement or setup would be further helpful.
At a highlight-level, there are several security features that are natively inbuilt into the App Service Platform which would help you protect your app from threats, the platform components of App Service, including Azure VMs, storage, network connections, web frameworks, management and integration features, are actively secured and hardened. Note that App Service goes through vigorous compliance checks on a continuous basis.
If you’re looking at having a complete network isolation – You can leverage App Service environment (ASE) runs in your own instance of Azure Virtual Network.
Based on your requirement, you could implement these common native best practices to protect your App Service app from threats (Extend to multi-tier apps):
- Always use encrypted connections even if the back-end resource allows unencrypted connections.
- You can disable outdated protocols by enforcing TLS 1.1/1.2 (Enforce HTTPs).
- App Service supports both FTP and FTPS for deploying your files. However, FTPS should be used instead of FTP, if at all possible. When one or both of these protocols are not in use, you should disable them.
- Static IP restrictions – Based on your you can limit that access to a small subset of IP addresses.
- Enable client authentication- You can implement your application. The authentication and authorization module handles web requests before handing them off to your application code, and it denies unauthorized requests before they reach your code.
- Service-service authentication - configure Service identity /On-behalf-of (delegated access).
For additional info, kindly checkout these:
Azure security baseline for App Service - The Azure Security Baseline for App Service contains recommendations that will help you improve the security posture of your deployment.