Deploy Azure Application gateway to expose my workload
In a C3 Azure hardened subscription, workload cannot be exposed directly on Internet. Workload must be exposed using a reverse proxy including web filtering capabilities. TDF BL consumers are responsible to deploy and configure this service. This page aim to provide general guidance to deploy Azure Application Gateway to expose your web-based workloads.
Azure Application Gateway
Azure Application Gateway is a web traffic load balancer that enable you to manage traffic to your web applications. Azure Application gateway includes the following capabilities:
-
SSL/TLS termination with certificate stored in an Azure Key Vault:
-
Auto-scaling to adapt number of instances based on traffic load patterns
-
High availability with support of Availability zones
-
Web Application Firewall (WAF) capabilities using rules bases on the OWASP ModSecurity Core Rule Set
-
URL-based routing
-
Multiple-site hosting
-
HTTP to HTTPS redirection
-
Session affinity
-
Rewrite HTTP headers and URL
Prerequisites
Prior Application Gateway deployment, the following we will need the following prerequisites:
- Network/Subnet
- Network Security Group
- Public IP
- Key Vault
Network/Subnet
Azure Application Gateway must be deployed on a dedicated subnet in your Azure subscription. Service will consume multiple private IP addresses on this dedicated subnet. Additional information about subnet sizing is available here. In non production environment, consider a /27 CIRD for the dedicated subnet.
This Subnet need to be configured for Application Gateway limited usage. You will not be able to create a virtual machine with a network interface linked to this subnet.
Network Security group configuration must be linked to the dedicated subnet prior Application Gateway deployment.
Network Security Group
It's highly recommended to apply Microsoft recommendation for Network Security Group hardening to restrict incoming traffic to the Application Gateway subnet. Additional information is available here.
Public IP
Azure Application Gateway can be deployed to manage web exposition internally, externally or both. Azure Application Gateway V2 SKU required an Azure public IP even if we will be exposing our workload internally. This Azure public IP must be created using the Standard SKU. Even if Application gateway will be deployed using an Azure public IP, only internal exposition is allowed on C3 Azure Hardened subscription.
Key Vault
Azure Application Gateway support SSL termination with certificate stored in a Key Vault as documented here. Application Gateway is now recognized as an Azure Trusted service, capable to bypass key Vault firewall.
Certificate for the Azure Application Gateway can be delivered using the Azure App Certificates Services. Additional detail for this scenario is available in How to get public certificate page.
Use cases
Currently limited to internal exposition only. C3 workload should not be exposed publicly.
How to
How to request my public DNS name under thalesdigital.io public domain name
The thalesdigital.io public DNS domain and it's subdomain are managed by the Thales Digital Factory. You can raise a support ticket to create a A/CNAME record in this DNS zone. This FQDN will be required when requesting your public certificate.
How to request a certificate to be used with Application Gateway
Once you have your Public DNS names registered, you can request your public certificate as documented : Get Thales certificate.
How to configure my Application Gateway for C3 security level
TDF provide general recommendation about Application Gateway configuration:
- SKU must be WAF V2 for Web Filtering capabilities
- Firewall status must be configured to enable
- TLS certificate must be Stored in a Key Vault
- Application Gateway logs must be send to Log Analytics