1. Answers
  2. Using Azure Webapp With Waf

Using Azure Webapp With Waf

Introduction

In this guide, we will walk through the process of setting up an Azure Web App with a Web Application Firewall (WAF) using Pulumi. The key services involved include Azure App Service for hosting the web app and Azure Application Gateway for the WAF.

Step-by-Step Explanation

Step 1: Create an Azure Resource Group

First, we need to create an Azure Resource Group to contain all the resources.

Step 2: Create an Azure App Service Plan

Next, we create an App Service Plan which defines the region and pricing tier for the web app.

Step 3: Create an Azure Web App

We then create the Azure Web App itself, which will be hosted on the App Service Plan.

Step 4: Create an Azure Application Gateway

We create an Application Gateway to act as the WAF. This involves setting up the gateway, defining the backend pool, and configuring the HTTP settings.

Step 5: Configure WAF Rules

Finally, we configure the WAF rules on the Application Gateway to protect the web app from common web vulnerabilities.

Conclusion

By following these steps, you will have successfully set up an Azure Web App with a Web Application Firewall using Pulumi. This setup ensures that your web application is hosted securely and is protected from common web threats.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";

// Step 1: Create an Azure Resource Group
const resourceGroup = new azure.resources.ResourceGroup("resourceGroup", {
    location: "WestUS",
});

// Step 2: Create an Azure App Service Plan
const appServicePlan = new azure.web.AppServicePlan("appServicePlan", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    sku: {
        name: "B1",
        tier: "Basic",
    },
});

// Step 3: Create an Azure Web App
const webApp = new azure.web.WebApp("webApp", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    serverFarmId: appServicePlan.id,
    siteConfig: {
        appSettings: [{
            name: "WEBSITE_RUN_FROM_PACKAGE",
            value: "1",
        }],
    },
});

// Step 4: Create an Azure Application Gateway
const applicationGateway = new azure.network.ApplicationGateway("applicationGateway", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    sku: {
        name: "WAF_Medium",
        tier: "WAF",
        capacity: 2,
    },
    gatewayIPConfigurations: [{
        name: "appGatewayIpConfig",
        subnet: {
            id: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/{subnet-name}",
        },
    }],
    frontendIPConfigurations: [{
        name: "appGatewayFrontendIp",
        publicIPAddress: {
            id: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/publicIPAddresses/{public-ip-name}",
        },
    }],
    frontendPorts: [{
        name: "appGatewayFrontendPort",
        port: 80,
    }],
    backendAddressPools: [{
        name: "appGatewayBackendPool",
        backendAddresses: [{
            fqdn: webApp.defaultHostName,
        }],
    }],
    backendHttpSettingsCollection: [{
        name: "appGatewayBackendHttpSettings",
        port: 80,
        protocol: "Http",
        cookieBasedAffinity: "Disabled",
    }],
    httpListeners: [{
        name: "appGatewayHttpListener",
        frontendIPConfiguration: {
            id: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/applicationGateways/{app-gateway-name}/frontendIPConfigurations/appGatewayFrontendIp",
        },
        frontendPort: {
            id: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/applicationGateways/{app-gateway-name}/frontendPorts/appGatewayFrontendPort",
        },
        protocol: "Http",
    }],
    requestRoutingRules: [{
        name: "appGatewayRoutingRule",
        ruleType: "Basic",
        httpListener: {
            id: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/applicationGateways/{app-gateway-name}/httpListeners/appGatewayHttpListener",
        },
        backendAddressPool: {
            id: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/applicationGateways/{app-gateway-name}/backendAddressPools/appGatewayBackendPool",
        },
        backendHttpSettings: {
            id: "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Network/applicationGateways/{app-gateway-name}/backendHttpSettingsCollection/appGatewayBackendHttpSettings",
        },
    }],
    webApplicationFirewallConfiguration: {
        enabled: true,
        firewallMode: "Prevention",
        ruleSetType: "OWASP",
        ruleSetVersion: "3.0",
    },
});

export const resourceGroupName = resourceGroup.name;
export const appServicePlanName = appServicePlan.name;
export const webAppName = webApp.name;
export const applicationGatewayName = applicationGateway.name;

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up