How to implement multi-website on single Azure Application Gateway WAF

How to implement multi-website on single Azure Application Gateway WAF

The below architecture diagram describes how Application Gateway helps in routing different websites with different domains hosted on different servers from the same Application Gateway and how the requests can be filtered and accepted/blocked based on the type of traffic. This can be achieved with the help of the below Application Gateway and WAF configurations.

In the above architecture, we have 3 websites hosted on 3 different types of architectures where www.domain01.com site is hosted on 2 servers, www.domain02.com site on a single server and the www.domain03.com site is hosted on 3 server architecture.

In order for the Application Gateway to properly route traffic to the sites based on the incoming request, we will implement the below configurations.

1. Backend Pools: This is the configuration where we configure the servers/services of each site. For our architecture, we will configure 3 backend pools as below.

• Domain01-BackendPool: Here, we add 2 VMs hosting domain01.com as the targets.
• Domain02-BackendPool: Here, we add the VM hosting domain02.com as the target.
• Domain03-BackendPool: Here, we add 3 VMs hosting domain03.com as the targets.

2. HTTP Settings: Here, we configure the ports where we will be sending HTTP and HTTPS request.

• HTTP: In this setting, we configured HTTP traffic to be routed to 80 port.
• HTTPS: In this setting, we configured HTTPS traffic to be routed to 443 port.

3. Listeners: Here we configure the HTTP and HTTPS listeners for each website’s separately.

• HTTP01: This is the HTTP listener for domain01.com
• HTTS01: This is the HTTPS listener for domain01.com
• HTTP02: This is the HTTP listener for domain02.com
• HTTS02: This is the HTTPS listener for domain02.com
• HTTP03: This is the HTTP listener for domain03.com
• HTTS03: This is the HTTPS listener for domain03.com

Note: We need to create/upload the SSL certificate of each website while creating HTTPS listener.

4. Rules: This is configuration which will play the major role of routing the traffic based on the incoming traffic request.

• HTTP01: This rule will route incoming traffic of domain01.com (HTTP01 Listener) to Domain01-BackendPool HTTP backend target.
• HTTPS01: This rule will route incoming traffic of domain01.com (HTTPS01 Listener) to Domain01-BackendPool HTTPS backend target.
• HTTP02: This rule will route incoming traffic of domain02.com (HTTP02 Listener) to Domain02-BackendPool HTTP backend target.
• HTTPS02: This rule will route incoming traffic of domain02.com (HTTPS02 Listener) to Domain02-BackendPool HTTPS backend target.
• HTTP03: This rule will route incoming traffic of domain03.com (HTTP03 Listener) to Domain03-BackendPool HTTP backend target.
• HTTPS03: This rule will route incoming traffic of domain03.com (HTTPS03 Listener) to Domain03-BackendPool HTTPS backend target.

5. Web Application Firewall: This is the configuration for the Firewall. Here, we configured the Tier as ‘WAF’ and the Firewall status is enabled and mode is selected as Prevention. The prevention mode will block all unwanted requests coming to the application gateway based on the Rule set which is applied on the WAF i.e. OWASP 3.0.

Note: The Application Gateway WAF implementation will be based on the architecture of the backend development/production environment. The settings will largely vary based on the backend environment architecture.

For information on the list of WAF rules which are part of OWASP 3.0, Click HERE.