The Azure Application Gateway

Azure have released an application gateway with some WAF functionality which “protects web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacks”. I deployed Barracuda WAF’s in our Azure architecture several years ago but subsequently got rid of them – they are expensive solution if you don’t have a lot of applications behind them. We were paying somewhere in the region of £10,000 per year per device. The costs add up when you need 2 for a high availability set and then another set in a different geo-region. £40,000 to protect a handful of websites. The application gateway is attractive from a cost perspective, although the WAF pricing itself hasn’t been confirmed as it’s still in preview.

the pricing is very attractive, although the WAF functionality is to 'TBC'

The pricing is very attractive, although the WAF functionality is to ‘TBC’

Evaluation

I’m keen to evaluate this service and would like to find out:

  • How much watering and feeding will they require? WAF’s like most security devices have an administrative overhead.
  • How granular are the WAF rules – can the rules be tweaked? Will entering Irish names trigger SQL injection rules which can’t be altered?
  • Would we be better off using Cloudflare in front of our websites?
  • Does it play nice with authentication? (namely ADFS / Azure AD Authentication)
  • What is it’s logging capability like, can we export it to syslog server?

I’ll do another post when I have had a good look around the product. It’s feature set overlaps rather confusingly with the ‘Azure AD Proxy’ apart from the WAF features – I’m not sure if there is a use case for both of the products still.

If you have provisioned an application gateway through the azure portal it’s not actually that easy to remove some components that get created automatically. As part of my testing, I ended up with a few Listeners that were surplus to requirement.

application gateway listeners - at the moment they cannot be deleted through the portal

application gateway listeners – at the moment they cannot be deleted through the portal

As a new service, the documentation isn’t that great yet. The following can be used to delete a listener from application gateway using powershell:

Remove Listeners

$AppGw = Get-AzureRmApplicationGateway -Name “application-gateway-name” -ResourceGroupName “application-gateway-resource”
Remove-AzureRmApplicationGatewayHttpListener -ApplicationGateway $AppGw -Name “name-of-listener-to-delete”
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw

The process takes a wee while but will remove the listener. And for the following:

Remove HTTP Settings

$AppGw = Get-AzureRmApplicationGateway -Name “application-gateway-name” -ResourceGroupName “application-gateway-resource”
Remove-AzureRmApplicationGatewayBackendHttpSettings -ApplicationGateway $AppGw -Name “name-of-http-settings-to-delete”
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw

Remove Back End Pools

$AppGw = Get-AzureRmApplicationGateway -Name “application-gateway-name” -ResourceGroupName “application-gateway-resource”
Remove-AzureRmApplicationGatewayBackendAddressPool -ApplicationGateway $AppGw -Name “name-of-back-end-pool-to-delete”
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw

I’ll do a write up of the service once I have fully evaluated it. At this stage I’m not 100% sure what the difference is between this and Azure AD Application Proxy as the feature set overlaps a lot.