Overview
Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection, cross-site scripting, and local file inclusion are among the most common attacks. Azure Web Application Firewall (WAF) on VIDIZMO Virtual Machine Gateway provides centralized protection for your VIDIZMO web application from such common exploits and vulnerabilities. WAF is based on the Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP), which is a set of generic attack detection rules for use with compatible web applications.
If you have not yet set up your VIDIZMO VM on Azure Marketplace then click, to see: How to setup VIDIZMO Virtual Machine (VM) on Azure Marketplace.
The WAF, configured on your VIDIZMO VM, automatically updates to include protection against new vulnerabilities, with no additional configuration needed.
Before you start
- To enable a Web Application Firewall (WAF) on your VIDIZMO VM, you need to create a Web Application Gateway for your VIDIZMO Application.
Web Application Firewall (WAF) Setup
1. Sign in to the Azure portal.
a. Click on Create a Resource.
2. Search for Application Gateway.
3. Click on the Create button.
Basics tab
4. Once you click on the Create button, the Basics settings page for the Application Gateway will be opened.
i. In the Subscription field, select your Azure Subscription (if it is not populated already).
ii. Select already created resource group from the drop-down. If it doesn't exist, select Create new to create it. Click here to learn more about Azure Resources.
iii. Enter the name of the application gateway.
iv. Select Region where you wish to deploy the Application Gateway. It is recommended to select the region where the VIDIZMO VMs have been deployed.
v. Choose the Standard WAF tier to support the Web Application Firewall on this application gateway. You can upgrade to a WAF tier after the application gateway has been created.
vi. Write 2 In Instance Count. The v1 tier supports high-availability scenarios when you’ve deployed two or more instances.
vii. Application gateways are offered in three sizes: Small, Medium, and Large. Small instance sizes are intended for development and testing scenarios. It is recommended to select Medium in SKU Size.
viii. Enable the HTTP2 checkbox.
ix. For Azure to communicate between the resources that you create, it needs a virtual network. You can either create a new virtual network or use an existing one. In this example, you'll create a new virtual network at the same time that you create the application gateway. Application Gateway instances are created in separate subnets. You create two subnets in this example: one for the application gateway, and another for the backend servers.
Under Configure virtual network, create a new virtual network by selecting Create new. In the Create virtual network window that opens, enter the following values to create the virtual network and two subnets:
Note: If your VIDIZMO VM has already deployed, then you should use the same subnet here.
- Name: Enter myVNet (or any other name of your choice) for the name of the virtual network.
- Subnet name (Application Gateway subnet): The Subnets grid will show a subnet named Default. Change the name of this subnet to myAGSubnet. The application gateway subnet can contain only application gateways. No other resources are allowed.
- Subnet name (backend server subnet): In the second row of the Subnets grid, enter myBackendSubnet in the Subnet name column.
- Address range (backend server subnet): In the second row of the Subnets Grid, enter an address range that doesn't overlap with the address range of myAGSubnet. For example, if the address range of myAGSubnet is 10.0.0.0/24, enter 10.0.1.0/24 for the address range of myBackendSubnet.
- Select OK to close the Create virtual network window and save the virtual network settings.
x. Now in the Basics tab, select Next: Frontends.
Frontends tab
5. On the Frontends tab.
i. Verify Frontend IP address type is set to Public. You can configure the Frontend IP to be Public or Private as per your use case. In this example, you'll choose a Public Frontend IP.
ii. Choose Add new for the Public IP address and enter myAGPublicIPAddress for the public IP address name.
iii. Next Click Ok.
iv. Select Next: Backends
Backend tab
6. A backend pool is a collection of resources to which VIDIZMO application gateway can send traffic. In this example, you'll create an empty backend pool with your application gateway and then add backend targets of your VIDIZMO App to the backend pool. On this screen,
i. Select Add a backend pool. A new window, for Add backend pool, would be opened.
ii. Give your backend pool a suitable name, for demonstration purposes we have used here the name myBackendPool.
iii. Select Yes in Backend pool without targets (to create an empty backend pool).
iv. Click Add button in the Add a backend pool screen to return to the Backend tab.
v. Now click on the Next: Configuration button. To move to the Configuration tab.
Configuration Tab
7. In this tab, the frontend and backend pool will be connected using routing rules, that we created in the previous steps.
i. Click on +Add a rule, under Routing rules, Add a routing rule window will be opened.
ii. Give your rule any name e.g. myRoutingRule.
iii. A routing rule requires a listener. On the Listener tab within the Add a routing rule window, enter the Name for the listener.
iv. Select Public to choose the public IP we created for the frontend.
v. Accept the default values for the other settings on the Listener tab, then select the Backend targets tab to configure the rest of the routing rule.
vi. On the Backend targets tab, select myBackendPool for the Backend target.
vii. For the HTTP setting, select Add new to create a new HTTP setting. The HTTP setting will determine the behavior of the routing rule. In the Add an HTTP setting window that opens, enter myHTTPSetting for the HTTP setting name.
viii. Accept the default values for the other settings in the Add an HTTP setting window, then select Add to return to the Add a routing rule window.
ix. On the Add a routing rule window, select Add to save the routing rule and return to the Configuration tab.
x. Select Next: Tags to move on to the Tags tab.
Tags tab
8. Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. Since it's an optional step, therefore, one can leave it blank.
i. Click Next: Review + Create, to move on to the Review tab.
Review + create tab
9. Here you can take a look at the summary of the major configuration settings that we have made while creating the Application Gateway. From this page, you can also go back and update any settings if needed. Click on Create button to complete the Application Gateway process.
Once you click on the create button, you will be directed to the screen where you will be able to see the WAF deployment progress. After successful deployment, you will receive a notification in the notification tray.
Adding Backend targets
Here you will use pre-configured VIDIZMO virtual machine as the target backend. Click, to see: How to create VIDIZMO VM on Azure Market Place, if you do not have VIDZMO VM.
10. To add VIDIZMO VM's as the backend target your Azure portal's homepage
i. Click on the left menu.
ii. Select All resources
11. In All resources screen.
i. Search for your newly created Application Gateway and click to open it.
ii. In the resource screen, search for the Backend pools, and click to open it.
12. A new screen Edit backend pool, will be opened.
i. Here, in Target type select Virtual Machine.
ii. In Target enter the name of your VIDIZMO VM.
iii. Next, click on the Save button to add VIDIZMO VM as the backend pool to end this activity.
Creating a storage account and configuring diagnostics
The VIDIZMO application gateway would use a storage account to store data for detection and prevention purposes. You could also use Azure Monitor logs or Event Hub to record data. Click, to see: How to create a storage account and configure diagnostics
Creating and Linking a Web Application Firewall Policy
All of the WAF customizations and settings are in a separate object, called a WAF Policy. The policy must be associated with your VIDIZMO Application Gateway. To create a WAF Policy, see Create a WAF Policy. Once it's been created, you can then associate the policy to your WAF from the WAF Policy in the Associated VIDIZMO Application Gateways tab.