Protect Azure Container Apps with Web Application Firewall on Application Gateway

When you host your apps or microservices in Azure Container Apps, you may not always want to publish them directly to the internet. Instead, you may want to expose them through a reverse proxy.

A reverse proxy is a service that sits in front of one or more services, intercepting and directing incoming traffic to the appropriate destination.

Reverse proxies allow you to place services in front of your apps that supports cross-cutting functionality including:

• Routing
• Caching
• Rate limiting
• Load balancing
• Security layers
• Request filtering

This article demonstrates how to protect your container apps using a Web Application Firewall (WAF) on Azure Application Gateway with an internal Container Apps environment.

For more information on networking concepts in Container Apps, see Networking Environment in Azure Container Apps.

Prerequisites

• Internal environment with custom VNet: Have a container app that is on an internal environment and integrated with a custom virtual network. For more information on how to create a custom virtual network integrated app, see provide a virtual network to an internal Azure Container Apps environment.

• Security certificates: If you must use TLS/SSL encryption to the application gateway, a valid public certificate that's used to bind to your application gateway is required.

Retrieve your container app's domain

Use the following steps to retrieve the values of the default domain and the static IP to set up your Private DNS Zone.

1. From the resource group's Overview window in the portal, select your container app.

2. On the Overview window for your container app resource, select the link for Container Apps Environment

3. On the Overview window for your container app environment resource, select JSON View in the upper right-hand corner of the page to view the JSON representation of the container apps environment.

4. Copy the values for the defaultDomain and staticIp properties and paste them into a text editor. You'll create a private DNS zone using these values for the default domain in the next section.

Create and configure an Azure Private DNS zone

1. On the Azure portal menu or the Home page, select Create a resource.

2. Search for Private DNS Zone, and select Private DNS Zone from the search results.

3. Select the Create button.

4. Enter the following values:

   Setting	Action
   Subscription	Select your Azure subscription.
   Resource group	Select the resource group of your container app.
   Name	Enter the defaultDomain property of the Container Apps Environment from the previous section.
   Resource group location	Leave as the default. A value isn't needed as Private DNS Zones are global.

5. Select Review + create. After validation finishes, select Create.

6. After the private DNS zone is created, select Go to resource.

7. In the Overview window, select +Record set, to add a new record set.

8. In the Add record set window, enter the following values:

   Setting	Action
   Name	Enter *.
   Type	Select A-Address Record.
   TTL	Keep the default values.
   TTL unit	Keep the default values.
   IP address	Enter the staticIp property of the Container Apps Environment from the previous section.

9. Select OK to create the record set.

10. Select +Record set again, to add a second record set.

11. In the Add record set window, enter the following values:

    Setting	Action
    Name	Enter @.
    Type	Select A-Address Record.
    TTL	Keep the default values.
    TTL unit	Keep the default values.
    IP address	Enter the staticIp property of the Container Apps Environment from the previous section.

12. Select OK to create the record set.

13. Select the Virtual network links window from the menu on the left side of the page.

14. Select +Add to create a new link with the following values:

    Setting	Action
    Link name	Enter my-custom-vnet-pdns-link.
    I know the resource ID of virtual network	Leave it unchecked.
    Virtual network	Select the virtual network your container app is integrated with.
    Enable auto registration	Leave it unchecked.

15. Select OK to create the virtual network link.

Create and configure Azure Application Gateway

Basics tab

1. Enter the following values in the Project details section.

   Setting	Action
   Subscription	Select your Azure subscription.
   Resource group	Select the resource group for your container app.
   Application gateway name	Enter my-container-apps-agw.
   Region	Select the location where your Container App was provisioned.
   Tier	Select WAF V2. You can use Standard V2 if you don't need WAF.
   Enable autoscaling	Leave as default. For production environments, autoscaling is recommended. See Autoscaling Azure Application Gateway.
   Availability zone	Select None. For production environments, Availability Zones are recommended for higher availability.
   HTTP2	Keep the default value.
   WAF Policy	Select Create new and enter my-waf-policy for the WAF Policy. Select OK. If you chose Standard V2 for the tier, skip this step.
   Virtual network	Select the virtual network that your container app is integrated with.
   Subnet	Select Manage subnet configuration. If you already have a subnet you wish to use, use that instead, and skip to the Frontends section.

2. From within the Subnets window of my-custom-vnet, select +Subnet and enter the following values:

   Setting	Action
   Name	Enter appgateway-subnet.
   Subnet address range	Keep the default values.

3. For the remainder of the settings, keep the default values.

4. Select Save to create the new subnet.

5. Close the Subnets window to return to the Create application gateway window.

6. Select the following values:

   Setting	Action
   Subnet	Select the appgateway-subnet you created.

7. Select Next: Frontends, to proceed.

Frontends tab

1. On the Frontends tab, enter the following values:

   Setting	Action
   Frontend IP address type	Select Public.
   Public IP address	Select Add new. Enter my-frontend for the name of your frontend and select OK

   Note

   For the Application Gateway v2 SKU, there must be a Public frontend IP. You can have both a public and a private frontend IP configuration, but a private-only frontend IP configuration with no public IP is currently not supported in the v2 SKU. To learn more, read here.

2. Select Next: Backends.

Backends tab

The backend pool is used to route requests to the appropriate backend servers. Backend pools can be composed of any combination of the following resources:

• NICs
• Public IP addresses
• Internal IP addresses
• Virtual Machine Scale Sets
• Fully qualified domain names (FQDN)
• Multi-tenant back-ends like Azure App Service and Container Apps

In this example, you create a backend pool that targets your container app.

1. Select Add a backend pool.

2. Open a new tab and navigate to your container app.

3. In the Overview window of the Container App, find the Application Url and copy it.

4. Return to the Backends tab, and enter the following values in the Add a backend pool window:

   Setting	Action
   Name	Enter my-agw-backend-pool.
   Add backend pool without targets	Select No.
   Target type	Select IP address or FQDN.
   Target	Enter the Container App Application Url you copied and remove the https:// prefix. This location is the FQDN of your container app.

5. Select Add.

6. On the Backends tab, select Next: Configuration.

Configuration tab

On the Configuration tab, you connect the frontend and backend pool you created using a routing rule.

1. Select Add a routing rule. Enter the following values:

   Setting	Action
   Name	Enter my-agw-routing-rule.
   Priority	Enter 1.

2. Under Listener tab, enter the following values:

   Setting	Action
   Listener name	Enter my-agw-listener.
   Frontend IP	Select Public.
   Protocol	Select HTTPS. If you don't have a certificate you want to use, you can select HTTP
   Port	Enter 443. If you chose HTTP for your protocol, enter 80 and skip to the default/custom domain section.
   Choose a Certificate	Select Upload a certificate. If your certificate is stored in key vault, you can select Choose a certificate from Key Vault.
   Cert name	Enter a name for your certificate.
   PFX certificate file	Select your valid public certificate.
   Password	Enter your certificate password.

   If you want to use the default domain, enter the following values:

   Setting	Action
   Listener Type	Select Basic
   Error page url	Leave as No

   Alternatively, if you want to use a custom domain, enter the following values:

   Setting	Action
   Listener Type	Select Multi site
   Host type	Select Single
   Host Names	Enter the Custom Domain you wish to use.
   Error page url	Leave as No

3. Select the Backend targets tab and enter the following values:

4. Toggle to the Backend targets tab and enter the following values:

   Setting	Action
   Target type	Select my-agw-backend-pool that you created earlier.
   Backend settings	Select Add new.

5. In the Add Backend setting window, enter the following values:

   Setting	Action
   Backend settings name	Enter my-agw-backend-setting.
   Backend protocol	Select HTTPS.
   Backend port	Enter 443.
   Use well known CA certificate	Select Yes.
   Override with new host name	Select Yes.
   Host name override	Select Pick host name from backend target.
   Create custom probes	Select No.

6. Select Add, to add the backend settings.

7. In the Add a routing rule window, select Add again.

8. Select Next: Tags.

9. Select Next: Review + create, and then select Create.

Add private link to your Application Gateway

You can establish a secured connection to internal-only container app environments by levaraging private link, as it allows your Application Gateway to communicate with your Container App on the backend through the virtual network.

1. Once the Application Gateway is created, select Go to resource.

2. From the menu on the left, select Private link, then select Add.

3. Enter the following values:

   Setting	Action
   Name	Enter my-agw-private-link.
   Private link subnet	Select the subnet you wish to create the private link with.
   Frontend IP Configuration	Select the frontend IP for your Application Gateway.

4. Under Private IP address settings select Add.

5. Select Add at the bottom of the window.

Verify the container app

Default domain

1. Find the public IP address for the application gateway on its Overview page, or you can search for the address. To search, select All resources and enter my-container-apps-agw-pip in the search box. Then, select the IP in the search results.

2. Navigate to the public IP address of the application gateway.

3. Your request is automatically routed to the container app, which verifies the application gateway was successfully created.

Custom domain

1. Find the public IP address for the application gateway on its Overview page, or you can search for the address.

   To search, select All resources and enter my-container-apps-agw-pip in the search box. Then, select the IP in the search results.

2. Next, you need to update your DNS records via your domain provider's website. Open a new browser window to add the DNS records. Set the A record type to point to the IP address of the application gateway.

3. In your browser, enter your domain. Make sure you use the https protocol.

4. Your request is automatically routed to the container app, which verifies that the application gateway is successfully created.

Clean up resources

When you no longer need the resources that you created, delete the resource group. When you delete the resource group, you also remove all the related resources.

To delete the resource group:

1. On the Azure portal menu, select Resource groups or search for and select Resource groups.

2. On the Resource groups page, search for and select my-container-apps.

3. On the Resource group page, select Delete resource group.

4. Enter my-container-apps under TYPE THE RESOURCE GROUP NAME and then select Delete

Next steps

Azure Firewall in Azure Container Apps