Confusion between WAF with Application Gateway and FrontDoor when securing custom Web Apps running on Azure VM published to the internet ?

EnterpriseArchitect 4,741 Reputation points
2024-04-12T12:12:14.38+00:00

Could you please let me know which Azure technology can be used to minimize the attack surface for safely publishing a Virtual Machine as a Web App on the internet?

This will enable my team to access the application from anywhere in the world without having to manually add their dynamic public IP address.

The URL of the web app running on top of the Linux Azure VM will be https://servername.domain.com, which will be secured using an Azure App Service wildcard certificate.

Shall I combine them both or should I just one over the other?

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
576 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,146 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
960 questions
Azure Content Delivery Network
Azure Web Application Firewall
0 comments
Accepted answer
  1. dashanan13 930 Reputation points
    2024-04-13T22:12:12.5666667+00:00

    Hei @EnterpriseArchitect ,

    Thank-you for contacting Microsoft Community.

    It may help to host the application via Azure WebApp that is behind Azure FrontDoor. Azure Front door has a Web application firewall dedicated to HTTP traffic. Check out this architecture setup: https://learn.microsoft.com/en-us/azure/frontdoor/create-front-door-portal

    If you still want to host the website on a VM, hope fully without public IP, the next decision is if you need multi region / global availability etc. Mirosoft has beautifully described a decision graph to help you with it. In your case the best decision is to use Azure Front door + Azure Load balancer, according to documentation.Read more: https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

    Please mark this as answer if it helped

    load-balancing-decision-tree

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee
    2024-04-12T12:42:55.17+00:00

    @EnterpriseArchitect ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    This decision completely depends on the requirement and environment your team has.

    WAF in both AFD and App Gateway provide various capabilities, some unique to it's own.

    The major key points to note would be

    • App gateway provides direct integration to a VM in a VNET - this means, you do not have to expose the VM to public internet.
    • Traffic between App gateway and VM would remain within the VNET (private traffic)
    • However, the same is not the case with AFD.
    • Atleast, you must allow incoming connections to the VM from certain IP Ranges in the service tag "AzureFrontDoor.Backend"
    • The benefit of AFD is that it can offer a low latency service to users across the Globe, thanks to our Anycast IPs and POPs - where as App Gw is a regional service and users from a different region may experience an increased latency compared to ones in the same region as the App Gw.

    Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

    Thanks,

    Kapil

    1 person found this answer helpful.