Sitecore Experience Management

Using Application Gateway to secure your Content Delivery server

Abstract

Secure your CD server firewall with Application Gateway.

Application Gateway is a web traffic load balancer that provides application layer (OSI level 7) load balancing, and includes the Web Application Firewall (WAF). The following deployment topology shows how WAF provides centralized inbound protection of your web applications from the most common exploits and vulnerabilities.

Application Gateway topology

Using Application Gateway means:

  • All services are publicly available

  • Your Content Delivery server runs behind WAF and IP restrictions on the Web App. This limits access only from the Application Gateway

  • You can restrict the IP of other services

The following are a list of limitations with WAF and Application Gateway: 

  • Autoscaling is not yet available for the WAF SKU. You must configure WAF for Fixed capacity mode instead of Autoscaling mode. If your requirements mean you must create an autoscaling, zone redundant application gateway, follow the instructions in the Application Gateway autoscale tutorial.

    Note

    Application Gateway and WAF are available in Public Preview, under the WAF version 2 SKU tier. WAF version 2 tier offers:

    • Performance enhancements.

    • Support for critical new features such as: autoscaling zone redundancy, and support for static VIPs.

  • Using Application Gateway with the WAF tier enabled means only dynamic IP addresses are supported. The dynamic IP does not change unless you restart Application Gateway manually. This means the IP filter that you set up on your Content Delivery Web App might become stale.

    Note

    This only applies to the WAF tier and not the WAF 2 tier. If you require high availability  and a static IP,  you must use WAF version 2.