I'm trying to set up an F5 Web Application Firewall (WAF) in front of my Azure App Services. I want to ensure that the application can only be accessed through the F5 WAF and that there are measures to prevent any unauthorized access or bypassing. Any advice on how to achieve this?
3 Answers
Another option is to use a Fully Qualified Domain Name (FQDN) for your F5. Set it to forward requests to your app's CNAME. Just ensure that the FQDN you set is included in your app's allowed list of FQDNs to prevent access issues.
Definitely look into Azure's networking capabilities. You can employ user-defined routes (UDRs) to ensure all traffic routes through the F5 before hitting your application layers. This setup can fortify your application against direct public access attempts, assuming you've configured it correctly.
You can start by checking out Azure's IP restriction feature. This lets you define which IPs can access your app services. However, make sure to whitelist your F5 WAF IPs to prevent 404 errors when trying to access your app. Also, if you're looking to restrict access further, consider using route tables to direct all traffic through your F5 WAF. This way, bypassing will be tough since the routes won’t direct traffic elsewhere.
I tried adding the necessary IPs for restrictions, but I ended up with a 404 error. Is there a better method or any specific firewall settings for defining ports in the Azure environment?
But if someone tries to hit the app directly using the public IP, won't they bypass the F5 WAF? How can we restrict that?