In this part I will handle the application recommendations, there are only two application recommendations.
Here are the other parts:
Add a web application firewall
The following plan of action can be executed to comply to the Azure Security Center recommendation.
- Create a Resource Group where the Application Gateway will be deployed in or choose your own during deployment.
- Create a Network Security Group, this will be set on the new dedicated subnet for the Web Application Firewall. Remember to open the ports 80 and/or 443.
- Add a dedicated subnet in the VNET for the Web Application Firewall and add the NSG that you have created.
- Create a new Application Gateway and select the following options:
- Choose the WAF tier.
- Choose the SKU Size (medium or large) this can be adjusted afterwards.
- Choose the number of instances, this can be adjusted afterwards.
- Choose the subscription.
- Select the resource group that you have created earlier or your own.
- Select the location.
- On the tab with the number 2 select the VNET where you have created the dedicated subnet and select that subnet.
- Create a new public IP address or choose one. (WAF only supports dynamic public IP addresses)
- Select the Listener configuration (HTTP/HTTPS) and the port. If you have choosen HTTPS you must upload a PFX. Additional listeners can be created afterwards.
- Choose the Firewall status (Enabled / Disabled ) and Firewall Mode (Detection / Prevention ) these settings can also be adjusted afterwards.
- After the Web Application Firewall has been created you must add the virtual machine its private IP address in the backend configuration.
Now you have created a second entry point for the public service of the virtual machine, this way you can test you public service. After the new setup has been approved you can change the DNS for the public service and remove the port configuration (80/443) from the public IP of the virtual machine and NSG.
Finalize application protection
Actually what this recommendation means is that you need to re-route your traffic through the newly deployed Web Application Firewall. This can be done by updating the DNS for the application that is behind the public IP.
Thanks for reading this short blog, keep posted for the next recommendations.