How to – Secure an Application Service with Application Gateway v2

Application Gateway conceptual

Application Gatway v2 brings several welcome additions to the service since it’s initial v1 release. For those who have spent time configuring an Application Gateway, you’ll be glad to hear that udpate/modification times have been drastically reduced. Better performance and the addition of functionality are some of the other main reasons to use v2 over v1. The entire list can be found here.

Recently, I had to secure an Application Service with an Application Gateway v2 on the WAF (web application firewall) tier. This is something I have done several times with v1 without any significant issue. In this instance the Application Service runs on a custom domain as does the Application Gateway. Requirements were to run SSL end to end and have WAF run in prevention mode.

If you’ve ever done this before, you know there are some basics to be completed within your Application Service. For this post and my requirement, they were map a custom domain, runs HTTPS only and prep rules to allow connections only from your Application Gateway. How to do all of that can be found at the following links:

Once your Application Service is ready to go, you move on to configuring your Application Gateway. This is a relatively simple process and can even be completed within the Portal. There is a published guide here. However, once it was configured, I noticed that certain redirect functionality aspects of the application were returning the default host name of the Application Service. This can also happen if you use Azure AD authentication. With WAF in prevention mode, this returns a 403 as a default rule picks up the change in address.

The reason for this is how both Application Gateway and Application Service handle their host headers. To fix this issue, there are two changes you can make, one of which that is only possible on Application Gateway v2.

The v2 only fix is to rewrite the location in the host header using rewrite rules. Rewrite rules are new functionality only included in v2. A guide on what you need to do exactly is here. Make sure the text is exactly as in the guide or it will not work.

The second option, and the one that is more common is to change how your Custom Probe and HTTP settings are configured. The reason for this is that the default guide does not take into account the use of a custom domain on your Application Service. For both settings, modify and remove the ” PickHostNameFromBackendAddress” setting. Now, the Application Gateway will forward the same hostname and redirection will happen on the same too. Full guide here.

As always, if there are any questions on the above, get in touch!

Azure App Service and Windows Containers

Containerisation of applications is something that is becoming more and more common. Allowing developers to “wrap” all requirements into an individual element which the infrastructure team can then deploy where resources are available opens a door to the most modern options in application deployment and management.

Enter Azure App Service, which for years now has been removing the need for an infrastructure management layer and allowing teams to focus on deployment and performance. Traditionally, you had to deploy your apps within the allowed parameters of your App Service Plan (ASP). However, you can now run containers as part of this platform.

Combine this with a Container Registry, such as Azure Container Registry and you can deploy images within minutes. These images can then be scaled within your ASP to meet demand and can be updated as required using your current CI/CD processes.

This had been limited to Linux based containers, but Microsoft have recently announced a public preview of the ability to run Windows containers within your ASP. This is targeted towards customers interested in migrating .NET applications to Azure, and hoping to avail of a PaaS service to get the many productivity benefits such as high availability within and across Azure regions. This can also increase application redundancy options by using integrated backup/restore and app cloning options.

WebAppForContainers
Example deployment scenario

The preview capabilities are appropriate for testing and POC environments, but there are of course some limitations and preview deployments are not recommended for production workloads in any scenario.

Within the preview the following is supported:

  • Deploy containerized applications using Docker Hub, Azure Container Registry, or private registries.
  • Incrementally deploy apps into production with deployment slots and slot swaps.
  • Scale out automatically with auto-scale.
  • Enable application logs and use the App Service Log Streaming feature to see logs from your application.
  • Use PowerShell and Win-RM to remotely connect directly into your containers.

For a quick start/how-to see the following link.