Application Gateway and Geo Location Setup

Question

Hey MS world,

Our Goal is to restrict access to our Web Application by Country. Basically deny all, and allow access to ONE country.

Everything worked great utilizing NSG group with and Dev Team to restrict access and attacks. We installed the Certificates on this IIS already etc.

Now that we are ready to open up we need that extra layer of security. We set up and AppGW and WAF in our environment to hopefully achieve this.

So we setup an Applicaiton GW, backendpool and WAF etc--- changed the website DNS to point to APPGW etc.

NO GEO restrictions as yet.
Only getting the Login Page
Https is not working.

What are the steps to get HTTPS allowed through APPGW?

Can WAF exist by itself to accomplish our goal?

Thanks Dane

Answer 1

Hello @Danejahtt-0724 ,

You can configure End to End TLS/SSL in Azure Application gateway to encrypt and securely transmit sensitive data to the backend. When configured with end-to-end TLS communication mode, Application Gateway terminates the TLS sessions at the gateway and decrypts user traffic. It then applies the configured rules to select an appropriate backend pool instance to route traffic to. Application Gateway then initiates a new TLS connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend. Any response from the web server goes through the same process back to the end user. End-to-end TLS is enabled by setting protocol setting in Backend HTTP Setting to HTTPS, which is then applied to a backend pool.
For end to end SSL overview, please refer : https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview

To configure end-to-end TLS with an application gateway, a certificate is required for the gateway and certificates are required for the back-end servers. The gateway certificate is used to derive a symmetric key as per TLS protocol specification. The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway. The gateway certificate needs to be in Personal Information Exchange (PFX) format. This file format allows you to export the private key that is required by the application gateway to perform the encryption and decryption of traffic.
For step by step instructions, please refer : https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell

WAF now comes with a Public preview feature called custom rules. Custom rules allow you to create tailored rules to suit the exact needs of your applications and security policies. Now, you can restrict access to your web applications by country/region.
For more information on Geo-match WAF custom rules, please refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/geomatch-custom-rules

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

You have not mentioned the Application Gateway SKU.

There are couple of things to note if you are in the old SKU of App Gateway you can upgrade to WAF tier but that would not give you the option to do geo based blocking. You can use the Old SKU with WAF and protect the application from the OWASP vulnerbality, make sure you make your WAF intelligent enough by putting it first in detection mdoe and then prevention mode, The SKU for Geo based blocking to work needs to be on WAFV2 tier

Unfortunately old sku's of app gateway cant be upgraded to WAF v2 tier, and new app gateway needs to be set up for that

For your other question regarding HTTPS

Do you want to configure http to https redirection , where would you like to terminate your SSL

Can you let me know how have you configured your listener is it for multisite