Using Azure Application Gateway to secure your Content Delivery server

Version: 9.1

Azure Application Gateway is a web traffic load balancer that provides application layer (OSI level 7) load balancing, and includes the Web Application Firewall (WAF). The Application Gateway offers a scalable service that is fully managed by Azure.

WAF is a feature of the Application Gateway that provides centralized protection for your web applications from common exploits and vulnerabilities. WAF is based on rules from the Open Web Application Security Project (OWASP) core rule sets 3.0 or 2.2.9.

Note

WAF and Application Gateway are compatible with Content Delivery servers (CD). They are not compatible with Content Management (CM) servers.

The following deployment topology shows how WAF provides centralized inbound protection of your web applications from the most common exploits and vulnerabilities.

Application Gateway topology

Deployment

Using Application Gateway means:

  • All services are publicly available

  • Your Content Delivery (CD) server runs behind WAF and IP restrictions on the Web App. This limits access only from the Application Gateway

  • You can restrict the IP of other services

Limitations

The following are a list of limitations with WAF and Application Gateway: 

  • Autoscaling is not yet available for the WAF SKU. You must configure WAF for Fixed capacity mode instead of Autoscaling mode. If your requirements mean you must create an autoscaling, zone redundant application gateway, follow the instructions in the Application Gateway autoscale tutorial.

    Note

    Application Gateway and WAF are available in Public Preview, under the WAF version 2 SKU tier. WAF version 2 tier offers:

    • Performance enhancements.

    • Support for critical new features such as: autoscaling zone redundancy, and support for static VIPs.

  • Using Application Gateway with the WAF tier enabled means only dynamic IP addresses are supported. The dynamic IP does not change unless you restart Application Gateway manually. This means the IP filter that you set up on your Content Delivery Web App might become stale.

    Note

    This only applies to the WAF tier and not the WAF 2 tier. If you require high availability  and a static IP,  you must use WAF version 2.

  • WAF and Application Gateway are compatible with ConeDs, they are not compatible with Content Management (CM) servers.

Do you have some feedback for us?

If you have suggestions for improving this article,