Securing Single Web App.

Kman 41 Reputation points
2020-11-22T11:51:38.713+00:00

I currently have a single Web App and Durable Functions, 2 VMs and 1 Azure SQL Database and 1 Cosmos DB. I wanted to know what is the best approach to secure the Web App. I have read WAF, or WAF with Application Gateway or Front Door. I would need something which is GA and not Public Preview.

Also if I decide to have more than one Web App what will be the best approach.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
677 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,063 questions
Azure Web Application Firewall
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,373 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,758 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ajkuma 26,131 Reputation points Microsoft Employee
    2020-11-23T20:38:31.67+00:00

    @KaisMalique-9406, Thanks for the question!

    I believe you have already checked this article - Securing your web app, which provides a reference architecture with the combination of the services (WAF/AGW/Front Door). To have a more intricate secure WebApp the combination of the services mentioned/features needs to be leveraged.

    I understand you have already evaluated the preview features of the services. Yes, certain features (only) on WAF/AGW, Front Door are in preview, but mix of Services without preview features does provide high degree of protection which can be tailored as per the needs.

    Highlighting some best practices guidelines from App Service perspective.
    I'll open this-up for targetted experts from the other tags (services) to share their insights, esp on the preview features.

    Your question is more broad on WebApp security, more specifics on your WebApp requirement or setup would be further helpful.

    At a highlight-level, there are several security features that are natively inbuilt into the App Service Platform which would help you protect your app from threats, the platform components of App Service, including Azure VMs, storage, network connections, web frameworks, management and integration features, are actively secured and hardened. Note that App Service goes through vigorous compliance checks on a continuous basis.

    If you’re looking at having a complete network isolation – You can leverage App Service environment (ASE) runs in your own instance of Azure Virtual Network.

    Based on your requirement, you could implement these common native best practices to protect your App Service app from threats (Extend to multi-tier apps):

    • Always use encrypted connections even if the back-end resource allows unencrypted connections.
    • You can disable outdated protocols by enforcing TLS 1.1/1.2 (Enforce HTTPs).
    • App Service supports both FTP and FTPS for deploying your files. However, FTPS should be used instead of FTP, if at all possible. When one or both of these protocols are not in use, you should disable them.
    • Static IP restrictions – Based on your you can limit that access to a small subset of IP addresses.
    • Enable client authentication- You can implement your application. The authentication and authorization module handles web requests before handing them off to your application code, and it denies unauthorized requests before they reach your code.
    • Service-service authentication - configure Service identity /On-behalf-of (delegated access).

    For additional info, kindly checkout these:

    Azure security baseline for App Service - The Azure Security Baseline for App Service contains recommendations that will help you improve the security posture of your deployment.

    Security recommendations for App Service


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.