Skip to content

Azure/hardened-webapp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits

deploy

deploy

 
 

img

img

 
 

.gitignore

.gitignore

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

SUPPORT.md

SUPPORT.md

 
 

Repository files navigation

Hardened Web App

This example scenario describes how to set up an Azure Web App within a network environment that enforces strict policies regarding inbound and outbound network flows. In such cases, the Web App may not be directly exposed to the internet but will instead require all traffic to go through an Azure Firewall or third-party network virtual appliance.

The example shows a scenario in which a web application is protected with Azure Front Door, an Azure Firewall and connects securely to an Azure SQL Databases.

The solution is comprised of several Bicep files that deploy the required infrastucture.

The main.bicep deploys the base infrastructure using Bicep modules from the following files

  • network.bicep
  • webapp.bicep
  • firewall.bicep
  • sql.bicep
  • frontdoor.bicep
  • routetable.bicep
  • nsg.bicep
  • nsgrules.bicep

  1. Install Bicep

  2. Deploy main.bicep using either Azure PowerShell or Azure CLI. The bicep file has pre-configured parameters for deploying all resources. The parameter usePreviewFeatures, set to true by default, enables deployment of a Network Security Group associated with the subnet that will host the Web App Private Endpoint. This restricts allowed incoming traffic to the Azure Firewall subnet alone by leveraging the Private Endpoint support for NSGs (preview) feature. Set the parameter to false if you do not wish to leverage the preview feature in your deployment.

If using PowerShell, deploy the resources with:

New-AzResourceGroupDeployment -ResourceGroupName [resourceGroupName] -Name [deploymentName] -TemplateFile .\main.bicep

You will be asked to provide the parameters customBackendFqdn and sqladministratorLoginPassword upon deployment.

  1. Take note of the Public IP Address assigned to the Azure Firewall after creation. The IP is also provided as output of the deployment of main.bicep.

Public IP

  1. Take note of the Custom Domain Verification ID of the Web App you just created. The Custom Domain Verification ID is also provided as output of the deployment of main.bicep.

Custom Domain Verification ID

  1. Take note of the Azure SQL Server name you just created. The FQDN of the Azure SQL Server is also provided as output of the deployment of main.bicep.

SQL Server name

  1. Sign in to the website of your domain provider.

NOTE Every domain provider has its own DNS records interface, so consult the provider's documentation. Look for areas of the site labeled Domain Name, DNS, or Name Server Management. Often, you can find the DNS records page by viewing your account information and then looking for a link such as My domains. Go to that page, and then look for a link that's named something like Zone file, DNS Records, or Advanced configuration.

  1. Create an A record with the Public IP you just obtained

The following screenshot is an example of a DNS records page with the A record created:

DNS records page

NOTE If you like, you can use Azure DNS to manage DNS records for your domain and configure a custom DNS name for Azure App Service. For more information, see Tutorial: Host your domain in Azure DNS.

  1. Create a TXT record with the Custom Domain Verification ID of the Web App you just deployed. This will allow you to reuse the custom FQDN record you just created an A record for and add it to the Web App in the following steps.

The TXT record must be created in the format asuid.<subdomain> For example, if your custom FQDN is backend.contoso.com you would create the record:

asuid.backend.contoso.com TXT [DOMAIN VERIFICATION ID]

For more information, see Tutorial: Map an existing custom DNS name to Azure App Service - Create the DNS records

The following screenshot is an example of a DNS records page with the TXT record created:

DNS records page

  1. Map the custom domain to the Web App you just created. For more information, see Tutorial: Map an existing custom DNS name to Azure App Service - Get a domain verification ID

  2. Upload a SSL certificate matching your custom FQDN to your Web App. For more information, see Tutorial: Secure a custom DNS name with a TLS/SSL binding in Azure App Service

  3. Your Web App should now be reachable with the public FQDN of the Azure Front Door instance.

Optional Steps

  1. If you'd like, you can also bind a custom FQDN domain to Azure Front Door and configure HTTPS for the custom domain

  2. You can verify that connectivity from the Web App to the Azure SQL Server is happening over a private channel by creating a Virtual Machine in the same Virtual Network used for the scenario.

    • Log into the Virtual Machine and browse to https://<webappname>.scm.azurewebsites.net where you will access the Kudu diagnostic console
    • Log in and in the top bar click on Debug console --> CMD
    • Type the command nameresolver <sqlname>.database.windows.net, using the Azure SQL Server name you retrieved in Step 4.

You should see that the Azure SQL Server instance name is being resolved with a private IP.

The following screenshot is an example of DNS resolution of the Azure SQL Server instance from the Kudu console:

Kudu console

  1. You can also verify that outbound traffic from the Web App is going through the Azure Firewall by typing the following command in the Kudu console:
    • curl -s ifconfig.co

The output should match the public IP address of the Azure Firewall you retrieved in Step 2.

The following screenshot is an example from the Kudu console:

Kudu console

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Legal Notices

Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file, and grant you a license to any code in the repository under the MIT License, see the LICENSE-CODE file.

Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.

Privacy information can be found at https://privacy.microsoft.com/en-us/

Microsoft and any contributors reserve all other rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

10 stars

Watchers

3 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages