I am looking for alternative options to Azure DDoS protection for protecting my Azure hosted web applications. Azure DDoS is $2944/month which is too pricey for us.
We currently have several web apps hosted in Azure sitting behind an Azure App Gateway (with WAF). Would it be possible to add DDoS protection from a 3rd party vendor such as AWS Shield or Cloudflare without reconfiguring our web apps to use a new layer 7 gateway? Or is the only option to replace the Azure App Gateway with a different vendor gateway? Is the DDoS solution generally tied to whichever layer 7 gateway is being used?
Ideally I would like to be able to enable a DDoS layer of protection without having to restructure our Azure services if that's at all possible.
There are some enhancements and updates in the Azure network security portfolio, including Azure DDoS Protection, which will be announced in Microsoft Ignite 2022 from October 12 to 14.
There will be a public preview of latest Azure DDOS Protection SKU at Ignite (10/12/2022), and the pricing for that would be quite less. You can wait till the announcement and consider that.
Refer : https://techcommunity.microsoft.com/t5/azure-network-security-blog/microsoft-ignite-2022-explore-what-s-new-in-azure-network/ba-p/3645142
Alternatively – Azure Front Door with WAF and Cloudflare are also valid options.
You can enable Cloudflare DDoS layer of protection without having to restructure the existing Azure services. DDoS solution is not tied to whichever layer 7 gateway is being used.
Related
I am working on project hosted in Azure, and that project uses Azure services under the hood, such as Device Provisioning Service and SignalR.
So, question is quite simple - how to mitigate DDOS attacks to Azure SignalR and Device Provisioning Service?
Azure provide DDOS protection service, but it's not support these services.
The Microsoft edge network provides DDOS protection against cloud services, DDOS protection as a service is available for network-based resources on virtual networks rather than those that are classed as platform-as-a-service.
I understand that Azure Web Apps as a PaaS offering are inherently more secure than if hosting on your own VM ... but does that mean a firewall solution is not required at all?
Azure offers a few solutions, but anything acting as a firewall seems expensive - so we are wondering if we can just do without one.
Not required as long as you are secured login for sensitive data and enabled CORN rules. For other protections you can definitely add to your subscription like firewall and DDoS protection.
It is not required; however, depending on the type of application you are building it is greatly encouraged, if not required by specific industries.
Depending on your architecture and/or approach and if cost is a concern I'd recommend Azure FrontDoor w/ Web Application Firewall (WAF) enabled. This will cover additional security for your application at a reasonable cost as well as potentially server as a Traffic/Manager Load balancer.
I already have a domain name purchase from Google Domains.
I would like to host this site on Microsoft Azure, How should I plan to purchase all the required resources on Azure, if I want to host a Wordpress site, but would also need control over the size, if in future I plan to host some microsite with NodeJS or any other technologies like Java or .Net Core.
What would be my cost per month considering the above requirements?
Below is the list that I envisioned that I may need, can anyone suggest something this I missed.
A VM with Ubuntu (That would take care of Wordpress, Database(MySQL), NodeJS, Java and others)
Map my domain with Azure and map it with the VM
The solution you're thinking of is also known as IaaS (Infrastructure as a Service) and it is something you'd usually consider when migrating from an on-prem solution where you already have the VMs images for your needs.
In your particular case I'd recommend looking into PaaS (Platform as a Service) - specifically Azure App Service.
Everything you enumerated can be hosted in an Azure App Service as it supports all major technologies for deploying web apps today (.Net, Node.js, Java, etc).
In addition to your own code, Azure offers a number of build-in templates for 3rd party vendors that allow you to deploy pre-packaged solutions such as Wordpress without having to worry about the installation yourself. See this Wordpress on Azure article for more details.
Pricing information for Azure Web Apps can be found on the docs page. In your case I suspect you could do with a B1 or S1 instance.
Lastly, for your domain name, you can easily map and configure any custom domain to an Azure Web App by simply updating the DNS records in your Domain Management system and reference that in the Azure Portal. See docs for details.
Adding to Alex's response. To provide you a good understanding on hosting website on Azure. Firstly, I wish to highlight that Azure offers several ways to host websites: Azure App Service WebApps (PAAS solution), Virtual Machines (IAAS), Service Fabric, and Cloud Services.
Azure App Service (PAAS solution) is the best choice for most web apps. Deployment and management are integrated into the platform, sites can scale quickly to handle high traffic loads, and the built-in load balancing and traffic manager provide high availability.
WebApp is a fully managed compute platform that is optimized for hosting websites and web applications.
If you wish to host your website/app on an Azure VM (IAAS solution), you would typically install, design and configure the app in a similar way as you would onprem. If you have an existing application that would require substantial modifications to run in App Service you could choose Virtual Machines in order to simplify migrating to the cloud.
Take a look at the supported and unsupported configuration on App Service Migrate - Migration checklist when moving to Azure App Service : https://azure.microsoft.com/en-us/blog/migration-checklist-when-moving-to-azure-app-service/
I have a SaaS web app developed with Angular 8 and Asp.net Core Web API. I have deployed web api to a azure web app and deployed angular front-end web app to another azure web app as well.
The users are from China and Australia and other countries. I want to have region load balance like Chinese users uses web app on china azure region and australian users use Australian azure region web app so that it has best performance. Azure SQL DB will be in one place (in australia).
In addition, i want to prevent attacking to web front app and web api like d-dos, web scraping and SQL injection. For web scraping, i want to add access rate limitation from one ip.
Can you please advise what service i should use? I saw the blog talking about azure application gateway, azure load balancer, azure front door and azure traffic manager. It is a bit confusing to me. I need a best practise based on my this real world scenario. Should I use one of the service or should I use multiple services?
Based on your requirement:
Since the Backend Resource is Web App, you can ignore Load balancer (Layer 4) where you can only add VMs or VMSS
Your another requirement is WAF, and it is only available in AFD and AppGW. But you can use Traffic Manager as first Tier Load balancing and have AppGW in the different regions to provide high resilience.
As you want users from specific country to reach nearest backend resource, it seems like, the best solution for you is AFD.
AFD is a global Load balancer. It has WAF capability. It can Cache the data and provide quicker responses(CDN functionality). AFD uses an intelligent probing mechanism, through which it chooses the endpoint which is closer to the client who is making the request.
Hope this helps.
I run a number of App Service MVC Asp.Net web applications. I think it would be a good idea to add a WAF to the front the App Service website to enable OWASP protection as well as more visibility on suspicious attacks. Also I would want this to be linked into Azure Security Centre.
As far as I can see this is not a problem with VM websites, but with App Service websites I have seen SO comment (April 2017) about how this may not be supported. Although this information may be outdated now.
1) Am I just trying to replace existing threat detection features that is built into App Services, so adding a WAF is not required?
2) If required, is App Service WAFs supported, and especially linked to Azure Security Centre.
3) If required and possible, then any pointers please?
By the way, I have considered the use of Cloudflare as a WAF wrapper around Azure which looks interesting, but intitially wanted to check out Azure functionality to start with.
Thanks.
1) WAF is supported and recommended even for App Service because it will improve your security capabilities while also providing you with more control and real-time monitoring.
Configure App Service Web Apps with Application Gateway
2) Yes to both. See here:
Azure Security Center and Microsoft Web Application Firewall Integration
3) See above links :)