How to secure our web application
When we consider deploying our application to the cloud, the first thing that comes to our minds is how to secure it. Typically, we put the responsibility only on the development or networking teams, despite the fact that it should be considered during the architecture phase and the design of the deployment architecture.
Before we start always keep in mind that SECURITY it’s a shared responsibility
I was working on an app modernization project for a customer solution and one of the major concerns was the security of the solution as a cloud solution architect I suggest that the first step to secure our web application is to deploy a Web Application Firewall(WAF) in order to filtering and monitoring HTTP traffic between their web application and the Internet.
And when it comes to deploying our solution to Microsoft Azure sure we will have multiple ways to deploy components and this depends on the requirement that we have.
Let’s discover how we can deploy WAF on Azure and secure our web application; two major ways to deploy it first is with Azure Application Gateway, second is with Azure front door.
In this article we will tackle the difference between them and which way we should choose and why?
Let's start with Azure Application Gateway: As everyone knows, Gateway enables data to flow through one discrete network to another, and Azure Application Gateway is web traffic and a load balancer that enables you to manage traffic to your web applications. Application gateway has traditional load balancers operate at the transport layer and route traffic based on source IP address and port, to a destination IP address and port which will allow you to route to multiple web applications whatever is deployed on azure app service, Azure VM’s, open premises environment or even on another public cloud.
And if go deeper, WAF on the application gateway gives you the ability to protect, monitor, and analyze the traffic ongoing to your application, so you can detect all threats throw logging where you can also save it to log analytics and once you got an overall view on your web traffic who’s ongoing to the web application you can switch the WAF to the prevention mode and choose what instruction you will allow using the predefined WAF rules or your create your own custom rules
I suggest you go and take look at the Azure Application Gateway documentation
Azure Front Door: If you have a global App and APIs, Azure Front Door will help you to ensure high availability, with multi-region deployment where you have a seamless user experience in case of failure in one of the regions by having an Active and a standby region.
Unlike the application gateway, WAF is not integrated into the front door and for that, you have to create a WAF policy Front Door.
Comparing Azure Application Gateway (WAF) and Azure Front Door:
- Azure Application Gateway (WAF): Is the best way to route, filter and monitor traffic for multiple application from a central service and dashboard, support Load balancing with a Built-in WAF config based on OWASP_3.1 rule set and Minimum cost control
- Azure front door: Is highly recommended for multiregional deployment scenarios, didn’t support load balancing and when it comes WAF you should Create and configure WAF policy on Microsoft Default_RuleSet_1.1 and other defaultRuleSet and It’s PAYG basis so cost is based on the configuration.