Azure App Service with WAF

Question

I'm looking for some Azure security best practice advice. I've seen some articles around on how to do it, but not if its necessarily required.

I have a customer who would like to move to Azure and they have specifically requested we stick to a PAAS solution as much as possible. The apps we'll be deploying are fairly straight forward so a few web app services will meet the requirements.

The problem is they have always been fairly risk averse and security conscious, so I'm wondering if best practice would say we need each site in a virtual network behind an application gateway with a WAF, or can we just have the app services running and Azure will do enough by default?

On their current hosting solution we have a WAF and DDOS protection but this was only a recent addition, and it's almost a ticking the box exercise.

Answer 1

Security posture of an Enterprise and compliance might play factors in the decision. I think keeping the site in a VNet behind an app gateway (with WAF which mitigates OWASP top 10 risks) is definitely more secure than public app service. But considering the fact that you would want PAAS services and security you will probably have to go ASE route. As of now App Gtwy (with WAF) doesn't support App Services. Entry cost of ASE (need 4 instances with minimum two P2's for front-end pool and two P1's for worker-pool) might be a little steep. Of-course you can go IAAS route for hosting within a VNet and have App Gtwy WAF front-ending the same.

If you go with pure App Service Azure takes care of (infra and platform level) DDoS and man in the middle attack, you are responsible for (application level) SQL Injection, XSS, CSRF etc, some of which will be taken care by WAF.

https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-security?toc=%2fazure%2fapp-service%2ftoc.json