Azure AD App Proxy vs Application Gateway: Security

TL;DR

Azure AD Application Proxy is good for simple publishing of on-premises apps, but has limitations in security and control. Azure Application Gateway with Web Application Firewall (WAF) offers much stronger protection against common web attacks and more granular configuration options. For most production environments requiring robust security, Application Gateway is the better choice.

Understanding the Risks

Azure AD Application Proxy works by establishing outbound connections from your on-premises servers to Azure. While this avoids inbound firewall rules, it doesn’t inherently protect against all threats. Common concerns include:

• Limited WAF Capabilities: App Proxy has basic filtering but lacks the advanced threat protection of a dedicated WAF.
• DDoS Vulnerability: While Azure provides some DDoS protection, App Proxy itself isn’t designed to handle large-scale attacks.
• SSL/TLS Offloading Complexity: Managing certificates can be more complex with App Proxy.
• Lack of Granular Control: Customising security policies is limited compared to Application Gateway.

Step-by-Step Migration to Azure Application Gateway

1. Plan Your Configuration: Determine the following:
   • Public IP Address: Choose a static public IP address for your Application Gateway.
   • Subnet: Allocate a dedicated subnet in your virtual network for the gateway.
   • Listeners: Define listeners for HTTP and HTTPS traffic (port 80 & 443).
   • Backend Pools: Identify the on-premises servers hosting your applications.
   • WAF Policies: Select appropriate WAF rulesets based on your application’s needs. Consider OWASP Core Rule Set.
2. Create an Application Gateway: Use the Azure portal, PowerShell or Azure CLI to create a new Application Gateway.

   az network application-gateway create --name myAppGateway --resource-group myResourceGroup --location eastus --sku Standard_v2 --capacity 2 --public-ip-address myPublicIPAddress --subnet mySubnet

3. Configure Backend Pools: Add your on-premises servers to the backend pool. Ensure health probes are configured correctly.

   Health probes verify the availability of your servers.

4. Set up HTTP Settings: Configure how Application Gateway communicates with your backend servers (protocol, port, cookie settings).
5. Implement WAF Policies: Enable and configure Web Application Firewall.
   • Rule Sets: Select pre-defined rule sets to protect against common attacks.
   • Custom Rules: Create custom rules if needed for specific application vulnerabilities.
   • Monitoring: Configure logging and alerts to track WAF detections.
6. Configure DNS Records: Update your DNS records to point to the Application Gateway’s public IP address.
7. Test Thoroughly: Verify that your applications are accessible through the Application Gateway and that the WAF is functioning as expected. Use tools like OWASP ZAP or Burp Suite for penetration testing.
8. Decommission App Proxy: Once you’re confident with the Application Gateway setup, remove the Azure AD Application Proxy configuration.

Key Security Benefits of Application Gateway (with WAF)

• Web Application Firewall: Protects against common web attacks like SQL injection, cross-site scripting (XSS), and botnets.
• DDoS Protection: Integrated DDoS protection mitigates large-scale attacks.
• SSL/TLS Offloading: Simplifies certificate management and improves performance.
• Granular Control: Allows for custom security policies, URL-based routing, and traffic shaping.
• Centralised Logging & Monitoring: Provides detailed logs and alerts for security analysis.