How to implement multi-website on single Azure Application Gateway WAF

How to implement multi-website on single Azure Application Gateway WAF

How to implement multi-website on single Azure Application Gateway WAF

The below architecture diagram describes how Application Gateway helps in routing different websites with different domains hosted on different servers from the same Application Gateway and how the requests can be filtered and accepted/blocked based on the type of traffic. This can be achieved with the help of the below Application Gateway and WAF configurations.

 

 

In the above architecture, we have 3 websites hosted on 3 different types of architectures where www.domain01.com site is hosted on 2 servers, www.domain02.com site on a single server and the www.domain03.com site is hosted on 3 server architecture.

In order for the Application Gateway to properly route traffic to the sites based on the incoming request, we will implement the below configurations.

  1. Backend Pools: This is the configuration where we configure the servers/services of each site. For our architecture, we will configure 3 backend pools as below.
  • Domain01-BackendPool: Here, we add 2 VMs hosting domain01.com as the targets.
  • Domain02-BackendPool: Here, we add the VM hosting domain02.com as the target.
  • Domain03-BackendPool: Here, we add 3 VMs hosting domain03.com as the targets.
  1. HTTP Settings: Here, we configure the ports where we will be sending HTTP and HTTPS request.
  • HTTP: In this setting, we configured HTTP traffic to be routed to 80 port.
  • HTTPS: In this setting, we configured HTTPS traffic to be routed to 443 port.
  1. Listeners: Here we configure the HTTP and HTTPS listeners for each website’s separately.

Note: We need to create/upload the SSL certificate of each website while creating HTTPS listener.

  1. Rules: This is configuration which will play the major role of routing the traffic based on the incoming traffic request.
  • HTTP01: This rule will route incoming traffic of domain01.com (HTTP01 Listener) to Domain01-BackendPool HTTP backend target.
  • HTTPS01: This rule will route incoming traffic of domain01.com (HTTPS01 Listener) to Domain01-BackendPool HTTPS backend target.
  • HTTP02: This rule will route incoming traffic of domain02.com (HTTP02 Listener) to Domain02-BackendPool HTTP backend target.
  • HTTPS02: This rule will route incoming traffic of domain02.com (HTTPS02 Listener) to Domain02-BackendPool HTTPS backend target.
  • HTTP03: This rule will route incoming traffic of domain03.com (HTTP03 Listener) to Domain03-BackendPool HTTP backend target.
  • HTTPS03: This rule will route incoming traffic of domain03.com (HTTPS03 Listener) to Domain03-BackendPool HTTPS backend target.
  1. Web Application Firewall: This is the configuration for the Firewall. Here, we configured the Tier as ‘WAF’ and the Firewall status is enabled and mode is selected as Prevention. The prevention mode will block all unwanted requests coming to the application gateway based on the Rule set which is applied on the WAF i.e. OWASP 3.0.

Note: The Application Gateway WAF implementation will be based on the architecture of the backend development/production environment. The settings will largely vary based on the backend environment architecture.

For information on the list of WAF rules which are part of OWASP 3.0, Click HERE.

Safi Ahmed Choudhury

Safi Ahmed Choudhury

Safi is the founder and chief editor of ZoomTutorials Blog, a leading tutorials and technology blogging site specializing in DevOps, SysAdmin and Cloud Technologies to help IT professionals in their day to day work. He is a Senior Cloud and DevOps Solutions Engineer at a leading eCommerce development Company and has more than 8 years of SysAdmin experience working with Fortune 500 companies to solve their most important IT backbones. Safi lives in Hyderabad with his wife and a son.

3 thoughts on “How to implement multi-website on single Azure Application Gateway WAF

  1. Hi,

    I have the following scenario:
    A gateway and a vm scale set which are of course in the same network. I have a domain and a subdomain which I need to map.
    For the gateway I just have a Public IP set and the default cloudapp.azure.com domain. I have 2 backend pools, one for domain and subdomain. Each domain has a separate Rule and each rule a separate Listener and all the Rules have the same Backend targets.
    https://prnt.sc/ubwncj
    https://prnt.sc/ubwnq1
    https://prnt.sc/ubwnw0
    https://prnt.sc/ubwnzw
    https://prnt.sc/ubwo8t
    https://prnt.sc/ubwopl
    https://prnt.sc/ubwot9
    https://prnt.sc/ubwowo
    https://prnt.sc/ubwozt

    For some reason, it will not load the page when I put the specific domains in place for my listeners.
    If I put here one of my domains, https://prnt.sc/ubwl1s it will just not work. Am I missing something in the DNS?
    Also, how did you generate the certificates? Did you use let’s encrypt?

    Did you generate the certificate after mapping the domains specifically on a server and then just exported the certificate from there after changing the ip to the gateway?

    I would really appreciate if you can help. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *