question

AmienMahri-4899 avatar image
0 Votes"
AmienMahri-4899 asked GitaraniSharmaMSFT-4262 edited

Azure WAF on Frontdoor

I am battling to find out if Azure WAF works on any or all TCP ports. So if my app is listening on port 9027, will it get WAF protection?

azure-front-door
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AmienMahri-4899 ,

Azure Web Application Firewall (WAF) on Azure Front Door provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Basically, WAF enabled web applications inspect every incoming request delivered by Front Door at the network edge and acts as per the configured mode:
Detection mode: When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs.
Prevention mode: In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with lower priority are evaluated. Any matched requests are also logged in the WAF logs.
Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview

So it is all about the incoming requests to your app and is not related to the port it is listening on.

May I know what is it that you are looking for exactly?

Thanks,
Gita

0 Votes 0 ·
AmienMahri-4899 avatar image AmienMahri-4899 GitaraniSharmaMSFT-4262 ·

In most, if not all, cases, WAF does NOT work across every single port i.e 0-65535. So question is if i have a bespoke app listening on a non-standard port, will the WAF protection kick in or will it just pass it through. Stupid example is what if i am using SSH, will Frontdoor do a WAF inspection.
Also, see link below talking about the fact that only port 80 and 443 is supported.

https://feedback.azure.com/forums/217313-networking/suggestions/40966483-azure-frontdoor-support-for-custom-ports

0 Votes 0 ·

Hello @AmienMahri-4899 ,

WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
WAF will not provide inbound protection for non-HTTP/S protocols such as SSH.

In case you need such protection, I would recommend you to check Azure Firewall. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Thanks,
Gita


0 Votes 0 ·
Show more comments

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 edited

Hello @AmienMahri-4899 ,

Azure Web Application Firewall (WAF) on Azure Front Door provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Basically, WAF enabled web applications inspect every incoming request delivered by Front Door at the network edge and acts as per the configured mode:
Detection mode: When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs.
Prevention mode: In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with lower priority are evaluated. Any matched requests are also logged in the WAF logs.
Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview

As long as the application is being accessed on HTTP (port 80) or HTTPS (port 443), WAF will protect these requests. If the request comes on any other port or protocol, it will be dropped by WAF at the edge. Only port 80 and 443 traffic can be passed from the FrontDoor to the backend. The backend can be any publicly accessible web application.

WAF will not provide inbound protection for non-HTTP/S protocols such as SSH. In case you need such protection, I would recommend you to check Azure Firewall. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.