Firewall recommended for Azure Static Web Apps

Koteswara Pentakota 71 Reputation points
2022-04-06T18:48:27.577+00:00

What Firewall is recommended for Azure static web apps. We are currently using App Service for our front end and would be migrating to Azure static web app. We need a Web application firewall and also a flexibility to redirect all traffic originating from https://recordent.com to https://www.recordent.com. I believe these rules can be written at the Firewall or should they be written inside the Application Gateway.
Considering that there is Azure Front Door, LB, WAF, App Gateway, etc. which one of these would serve the requirement. For a few of our sub domains we also have requirement that the entire application url's should be accessible only via VPN for better security.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,420 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
589 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
988 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
413 questions
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
89 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,286 Reputation points Microsoft Employee
    2022-04-07T10:55:00.617+00:00

    Hello @Koteswara Pentakota ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like a Firewall recommendation for Azure Static web apps which will provide WAF capability and URL redirect of your apex domain.

    Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) service from Microsoft. WAF on Azure CDN is currently under public preview.
    Refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/overview

    You can configure your static web app behind Azure Application Gateway or a CDN like Azure Front Door. You can decide on which product to use by considering the cost and features provided by that product.
    Refer : https://learn.microsoft.com/en-us/azure/static-web-apps/faq#how-do-i-configure-my-static-web-app-behind-azure-application-gateway-or-a-cdn-like-azure-front-door-
    https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview#decision-tree-for-load-balancing-in-azure

    You can configure IP restriction on Azure Front Door or Application gateway to allow access to a few sources IPs.
    For Azure Front Door IP restriction : https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction
    For Application gateway IP restriction : https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#allow-access-to-a-few-source-ips

    You can implement URL rewrites & redirects with Azure Front Door and Application gateway:
    Azure Front Door:
    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-url-rewrite?pivots=front-door-classic
    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-url-redirect?pivots=front-door-classic

    Application gateway:
    https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-url-portal
    https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url

    You can also onboard a root or apex domain on Azure Front Door or Azure CDN, so that you can point your root domain and subdomain to the FD or CDN profile. For example, contoso.com and www.contoso.com can point to the same Front Door/CDN profile and your users can access your site using contoso.com without the need to prepend www to the DNS name. This can be achieved using Azure DNS or external DNS provider.
    For Azure Front Door : https://learn.microsoft.com/en-us/azure/frontdoor/front-door-how-to-onboard-apex-domain
    For Azure CDN : https://learn.microsoft.com/en-us/azure/cdn/onboard-apex-domain

    But Application gateway doesn't provide this feature.

    So if we compare the 3 products:
    Azure Application gateway provides WAF, IP restriction and URL rewrites but no support for Apex domain.
    Azure CDN supports URL rewrites and Apex domain but the WAF feature is in preview.
    Azure Front Door provides WAF, IP restriction, URL rewrites and support Apex domains.

    So, my recommendation would be to go with Azure Front Door.
    We already have an official documentation on how to configure Azure Front Door for Azure Static Web Apps.
    Refer : https://learn.microsoft.com/en-us/azure/static-web-apps/front-door-manual

    Kindly let us know if the above helped or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Takahito Iwasa 4,841 Reputation points MVP
    2022-04-06T21:07:51.137+00:00

    Hi, @Koteswara Pentakota

    I think your scenario can be realized in several ways.

    You need to understand and choose the difference between Application Gateway and Front Door.
    You can also use the redirect function in Front Door.

    What is the difference between Azure Front Door and Azure Application Gateway?
    When should we deploy an Application Gateway behind Front Door?

    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq

    However, keep in mind that the Azure Static Web Apps VNET integration feature is currently in preview and does not support staging slots.

    https://learn.microsoft.com/en-us/azure/static-web-apps/private-endpoint

    0 comments No comments