Azure App Service Security: WAF Setup

Azure App Service Secured with a WAF

When you create an Azure App Service, it’s open to the public internet by default. This openness, while convenient, leaves your service vulnerable to various attacks such as Distributed Denial of Service (DDoS), Cross-Site Scripting (XSS), and SQL Injection. To secure your app, you need a Web Application Firewall (WAF) in front of it.

Secure Your App Service with Azure Front Door

One way to add a WAF is by using Azure Front Door, a global service offering features such as WAF, caching, and routing. Azure Front Door has a standard SKU priced at US$35 per month. However, the standard SKU lacks fully managed WAF rules, which means you must manually configure rules to protect against:

  • Zero-day vulnerabilities
  • Top-10 attack techniques
  • Use of stolen/exposed credentials

For enhanced security, Azure Front Door Premium at US$330 per month offers managed firewall rules, providing a higher level of protection with less manual intervention.

Refer to the Azure Front Door pricing model comparison page for more information.

Secure Your App Service with Cloudflare

An alternative is to use Cloudflare, a service that offers extensive features including unmetered DDoS protection, DNS hosting, SSL certificate management, multi-level caching at the edge, image optimization, analytics, and more. Cloudflare’s free plan provides WAF protection with a free managed ruleset. However, upgrading to the Pro plan for US$20 per month gives you access to advanced WAF protection, including:

Preventing users from bypassing the WAF

To ensure that all traffic to your Azure App Service passes through the WAF, follow these steps:

Step 1: Configure Cloudflare

  1. Login to Cloudflare and navigate to the “Rules” menu.
  2. Click on “Header Modification” > “Modify Request Header” > “Create rule”.
  3. Create a rule with the following settings:
    • Rule Name: App Service Key
    • Condition: All incoming requests
    • Action: Set Static Header
    • Header Name: X-Azure-FDID
    • Value: <Your-Secret-ID>
  4. Deploy the rule.
Cloudflare Request Headers

Step 2: Configure Azure App Service

  1. In the Azure Portal, go to your App Service.
  2. Navigate to the “Networking” section.
  3. Under “Public network access”, select “Enabled with no access restrictions”.
  4. Under “Site access and rules”, add a new rule:
App Service Access Restrictions

This setup ensures that all traffic to your app service must have the X-Azure-FDID header with the secret value set in Cloudflare. Any traffic without this header is blocked, effectively preventing users from bypassing the WAF.

Conclusion

Securing your Azure App Service is critical to protect it from various attacks. By using a WAF like Azure Front Door Premium or Cloudflare’s Pro plan, and configuring request headers to ensure all traffic passes through the WAF, you can significantly enhance the security of your app service. Choose the solution that best fits your needs and budget to keep your applications safe and secure.