Share via

IIS Web Application stops connecting to sftp server after being put it behing Azure Web Application Firewall

Mirella Pellizzon Petruci 61 Reputation points
2024-01-12T14:17:35.8+00:00

Hi Community, Happy 2024! I have a Windows Machine with IIS Web Application which makes conections to SFTP Server from some customers. We implemented Azure WAF and put this application behind it. We also dettached the public ip address from the server machine. Our customer had a firewall rule associated to this public ip address. I asked him to change to the WAF Public IP Address, but the rule is not working since SFTP connections has stopped. Since the application talks in HTTPS - Port 443 when it is behind Azure WAF, even though my customer sets a rule for the WAF Public IP Address to HTTPS 443, the application itself won´t be able to make SFTP connections anymore because the SFTP Protocol is not supported by WAF? I thought the SSL/TLS protocol would encapsulate the SFTP protocol in this case. Anyone has faced this situation? Thanks Mirella

Azure Web Application Firewall
0 comments
Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,906 Reputation points Microsoft Employee
    2024-01-13T03:42:37.9666667+00:00

    @Mirella Pellizzon Petruci

    Thank you for reaching out and Happy 2024 to you too!

    I understand you have a Windows machine with an IIS web application that connects to SFTP servers based on requests from the customers. You have also implemented Azure WAF (I am assuming you are using Azure Application Gateway WAF SKU) and put this application behind it.

    Based on my understanding above, this is currently not a supported scenario for Azure Application Gateway WAF SKU as it only supports HTTP/HTTPS traffic and you are accessing the SFTP server as a outbound connection from your IIS web application. To achieve the communication, you can use Azure Firewall in parallel with Application Gateway WAF SKU.

    In this architecture:

    • Inbound HTTP(S) connections from the Internet should be sent to the public IP address of the Application Gateway
    • The SFTP outbound communication should be sent using Azure Firewall's Public IP.
    • If choose to use Azure Firewall Premium SKU, you can use TLS inspection functionality to secure your outbound connectivity.

    This architecture is explained in detail here

    Although this does not depict your exact scenario, I think you can refer this article for passing SFTP traffic through Azure Firewall.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest