Azure App Gateway SSL Offloading to a Datacentre server? - azure

So I am looking at using Azure App Gateway to overcome a set of legacy servers (Win2003) that will not support TLS 1.2 and therefore come March+ 2020 the client browsers will not be able to access the site.
So my question is can I use AZ App Gateway to terminate the SSL and route traffic onto a set of Windows Load Balanced servers in our datacentres?
Has anyone done this before?

You can certainly do this, but Azure Front Door would be a better option, I believe (if you trust IP restrictions, I think that would be the only way to secure endpoints). They would allow you to offload SSL and offer some other nice features. And you don't have to create site-to-site vpn and maintain it.

Related

Do I need a WAF if I have a VPN?

Do I really need a layer 7 Firewall if I change the architecture to use a VPN? If our clients connect to our services via a VPN, surely that would save costs of a WAF? Or am I missing something?
A WAF protects your web services and services behind your web.
If you believe in zero trust then people logging into your vpn should not be trusted.
Many believe vpn is a dying tool since it's often configured with poor segmentation.
It's argued that a better alternative to vpn is to use cloud based apps that allow SAML or other methods of authentication/authorization along with 2 factor capabilities.
Hope this helps.

Remove public web access to Azure Web App

I have an existing on-premises web app that I'd like to migrate to Azure, just a basic migration to start with.
The current app is made up of two websites, a publicly facing front end web site and a private SOAP API site that is accessibly only via a VPN connection.
I can happily place the front end in a standard web app, but can't see a cheap way of hosting the SOAP API. I have used Azure Service Environments in the past, but this approach is expensive and a bit much for the early stages of this migration.
Ideally I would just host the SOAP API in an Azure Web Site and put a Gateway infront of it to manage VPN access. But I'm struggling to see if that is supported.
Is there anything else I can do here?
On the App Service hosting the API, have you looked into using the "Networking" blade to configure an IP restriction? This way you could limit access from only the IP address of your front-end.
Additional considerations:
There is no guarantee on a static IP for your front-end so you may need to consider range(s) based on what's in the DC you're app is hosted in (the IP doesn't change often but understand it's allocated from a pool that MS maintains). For this solution, you'd also need to include the IP of any client needing access for development/debug since it wouldn't use a VPN
You could also use a VNet to isolate services on the network and have more control over the configuration. Unfortunately you'd also need to deploy the app into an ASE which will add further costs. As a bonus, this would allow you to use a VPN as explained here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Good luck!
For example, you can create a P2S VPN from the web to Vnet, create another S2S or P2S VPN from on-premise to Vnet. And there can be an NSG associated to the Vnet, so you can manage the VPN access. I think the document Integrate your app with an Azure Virtual Network
could give you an idea. Unfortunately, you'd also need to deploy a VPN.

Is Azure WebApp automatically rate limited / DOS protected?

I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.
The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).
Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?
If I have to do it myself, can you point me into the right direction?
As far as I know, we could use Dynamic IP Restrictions in web app.
The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
About how to config this feature. We could remote connect to the azure web app IIS and set it.
About how to remote connect web app IIS, you could refer to this article.
More details, you could also refer to this blog.

DDoS attack mitigation on Azure infrastructure

I have a Django based web application hosted on Azure provisioned virtual machines (Ubuntu OS). My application recently experienced a DDoS attack and we were helpless against it.
The problem is that once traffic hits the server - even if it's blocked at a firewall or throttled in my webserver - the traffic is already consuming my network bandwidth. I can do nothing about it. This needs to be blocked "upstream", in the routing gear servicing my server.
Is there any DDoS protection Azure can offer me? Or at the very least, make recommendations as to how I might deploy my application so that it's more resistant to these attacks? Please advise.
Current, Azure provides DDOS protection at the network level, but not at the application level. So, if you are receiving a bunch of ACK requests, for example, this should be blocked by the platform itself.
For app level DDOS protection, you need to consider an upstream provider such as Incapsula or Silverline. Integrating them is quite easy. See https://www.incapsula.com/blog/how-to-add-incapsula-to-your-microsoft-azure-instance.html for an example.
Essentially, you will setup Incapsula and configure it with the DNS label of the web app (something.azurewebsites.net). Your DNS (www.domain.com) will then point to the incapsula service and they will handle the rest.
Please note that separating the DDOS from the service still allows for an attack against the service itself (ie: if someone hits something.azurewebsites.net then Incapsula will not protect this traffic).
Hope that helps!
First: Azure allows for IP-whitelisting (or blacklisting), so you can add malicious IP addresses to your block-list on incoming traffic (port 80/443 for instance). And you can modify IP addresses / ranges programmatically. This should prevent traffic from hitting your web app. Note: This is specific to Azure Virtual Machines, which you're using.
Second: Azure provides the Azure Security Center, which is designed to detect such things as DoS attacks, intrusion attacks, etc. Not that it solves your problem, but it can be used for alerting you to issues.
Using incapsula will be the right answer for you , since incapsula hides your origin ip and mitigate the attack before it even reached Azure.
in addition it provides CDN and cache which helped us save on bandwidth costs on AWS and make our application work faster.

Windows Azure VPN and IP restriction

We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.

Resources