Share This
//Ignite 2019 - Web Application Gateway and Firewall

Ignite 2019 - Web Application Gateway and Firewall

Delivering PaaS Services Privately on Azure VNets with Private Link

Ignite Session: BRK3169 Presenter: Amit Srivastava

Mission Critical HTTP Applications, there are many things to consider

Personalized, Micro-Services, Rich Context…. To support this MS have a number of services i the Suite - Azure Frontdoor, Application Gateway, Azure CDN, Web Application Firewall, Azure Load Balancer, and Azure Traffic Manager

Azure Application Gateway

Regional Gateway as a service

FeatureDescription
Platform managedBuilt in high availability and scalability)
Layer 7 balancingURL Path, Host based, round robin, session affinity, redirection
Security and SSL managementWAF, SSL Offload, SSL Re-Encryption, SSL Policy
Public or ILBPublic, Internal or Both
Flexible backendsVMs, VMSS, AKS, Public IP, Cloud Services, ALB.ILB/ On-Premises
Rich DiagnosticsAzure Monitor, Log analytics, Network Watched, RHC, Azure Security Center

Standard V2 SKU in GA, Currently Available in 26 regions, Builtin Zone Redundancy, Static VIP, HTTP Header/cookies insertion/modification

  • Increased scale limits 20 -> 100 Listeners
  • Key Vault integration and auto-renewal of SSL Certs
  • AKS ingress Controller

Autoscaling and Performance Improvements

  • Grow and shrink based on app traffic requirements
  • 5X better SSL offloads performance
  • 500-50,000 connections/sec with RSA 2048 bit certs
  • 30,000-3,000,000 persistent connections
  • 2,500-250,000 reqs/sec

Announcing General Availability:

  • Frontend TLS cert integration with Azure Key Vault
  • Utilized user-assigned managed identity access control for key vault
  • User Certificates or secrets on key vault
  • Polls every 4 hours to enable automatic cert renewal
  • manual override of specific certificate version retrieval
  • Manipulate Request and Response headers & cookies
    • Strip port from X-Forwarded-for header
    • Add security headers like HSTS and X-XSS-Protection
    • Common header manipulation ex HOST, SERVER

AKS Ingress Control using Application Gateways

  • Deployed using Helm
  • Utilizes Pod-AAD for ARM authentication
  • Tighter integration with AKS add on support coming
  • Support URI path based, host based, SSL termination, SSL re-encryption, redirection, custom health probes, draining, cookie affinity
  • Support for Lets Encrypt provide TLS certificates
  • WAF fully supported with custom listener policy
  • Support for multiple AKS as backend
  • Support for mixed mode - both AKS and other backend types on the same Application Gateway

http://aka.ms/appgwaks

Wild Card Listener

  • Support for Wildcard characters in the listener host name
  • Support for * and ? Characters in host name
  • Associated wildcard or SAN certificates the service HTTPS enabled domains
  • Send traffic to multiple tenant end points

Diagnostics and logs enhancements

  • TLS Protocol
  • TLS Cipher
  • Backend target server
  • backend response code
  • backend latency

Metrics

  • Backend response status code
  • RPS healthy nodes
  • End to End Latency
  • Backend Latency
  • Backend connect, first byte and last byte latency

App Monitor Insights for Application Gateway

Single health and metic console for your entire cloud network No agent/configuration required

Azure WAF - Cloud Native WEB Application Firewall

Unified WAF offering to protect your apps at network edge or region uniformly

Public preview announced

Microsoft threats intelligence

  • Protect agains automatic attacks

    • Managed good and bad bots with Azure BotManager Rule Set
    • Data is refreshed daily
    • Easy to configure in WAF policy
    • Helps increase your applications performance, by stopping aggressive crawlers.
  • Site and URI path specific WAF Policies

    • Customized WAF police at the region WAF
    • Assign different Policies to different sites
    • Site specific polices implies you can tune the WAF to suit the needs of each site independently
  • Geo filtering on regional WAF

    • Allow or Block a list of countries,
    • Support log mode
  • Rule Set for CRS 3.1 added (to be the default soon)

  • Integration with Azure Sentinel

  • Performance and concurrency enhancements

Comments

01. About Author

Damian Flynn

I define myself as an evangelist; an entrepreneur & author with an ideology rooted in business insights, technology exploration, pattern analysis and high energy. I envision, theorize and develop system architecture and strategic business platforms, soaked in storytelling and innovative technology.

Find on :

02. Last Posts

Do you want to learn more ?

© / 2020 / All rights reserved.
Get in Touch
Close