Protect Azure Container Apps with Web Application Firewall on Application Gateway
When you host your apps or microservices in Azure Container Apps, you may not always want to publish them directly to the internet. Instead, you may want to expose them through a reverse proxy.
A reverse proxy is a service that sits in front of one or more services, intercepting and directing incoming traffic to the appropriate destination.
Reverse proxies allow you to place services in front of your apps that supports cross-cutting functionality including:
- Routing
- Caching
- Rate limiting
- Load balancing
- Security layers
- Request filtering
This article demonstrates how to protect your container apps using a Web Application Firewall (WAF) on Azure Application Gateway with an internal Container Apps environment.
For more information on networking concepts in Container Apps, see Networking Environment in Azure Container Apps.
Prerequisites
Internal environment with custom VNet: Have a container app that is on an internal environment and integrated with a custom virtual network. For more information on how to create a custom virtual network integrated app, see provide a virtual network to an Azure Container Apps environment.
Security certificates: If you must use TLS/SSL encryption to the application gateway, a valid public certificate that's used to bind to your application gateway is required.
Retrieve your container app's domain
Use the following steps to retrieve the values of the default domain and the static IP to set up your Private DNS Zone.
From the resource group's Overview window in the portal, select your container app.
On the Overview window for your container app resource, select the link for Container Apps Environment
On the Overview window for your container app environment resource, select JSON View in the upper right-hand corner of the page to view the JSON representation of the container apps environment.
Copy the values for the defaultDomain and staticIp properties and paste them into a text editor. You'll create a private DNS zone using these values for the default domain in the next section.
Create and configure an Azure Private DNS zone
On the Azure portal menu or the Home page, select Create a resource.
Search for Private DNS Zone, and select Private DNS Zone from the search results.
Select the Create button.
Enter the following values:
Setting Action Subscription Select your Azure subscription. Resource group Select the resource group of your container app. Name Enter the defaultDomain property of the Container Apps Environment from the previous section. Resource group location Leave as the default. A value isn't needed as Private DNS Zones are global. Select Review + create. After validation finishes, select Create.
After the private DNS zone is created, select Go to resource.
In the Overview window, select +Record set, to add a new record set.
In the Add record set window, enter the following values:
Setting Action Name Enter *. Type Select A-Address Record. TTL Keep the default values. TTL unit Keep the default values. IP address Enter the staticIp property of the Container Apps Environment from the previous section. Select OK to create the record set.
Select +Record set again, to add a second record set.
In the Add record set window, enter the following values:
Setting Action Name Enter @. Type Select A-Address Record. TTL Keep the default values. TTL unit Keep the default values. IP address Enter the staticIp property of the Container Apps Environment from the previous section. Select OK to create the record set.
Select the Virtual network links window from the menu on the left side of the page.
Select +Add to create a new link with the following values:
Setting Action Link name Enter my-custom-vnet-pdns-link. I know the resource ID of virtual network Leave it unchecked. Virtual network Select the virtual network your container app is integrated with. Enable auto registration Leave it unchecked. Select OK to create the virtual network link.
Create and configure Azure Application Gateway
Basics tab
Enter the following values in the Project details section.
Setting Action Subscription Select your Azure subscription. Resource group Select the resource group for your container app. Application gateway name Enter my-container-apps-agw. Region Select the location where your Container App was provisioned. Tier Select WAF V2. You can use Standard V2 if you don't need WAF. Enable autoscaling Leave as default. For production environments, autoscaling is recommended. See Autoscaling Azure Application Gateway. Availability zone Select None. For production environments, Availability Zones are recommended for higher availability. HTTP2 Keep the default value. WAF Policy Select Create new and enter my-waf-policy for the WAF Policy. Select OK. If you chose Standard V2 for the tier, skip this step. Virtual network Select the virtual network that your container app is integrated with. Subnet Select Manage subnet configuration. If you already have a subnet you wish to use, use that instead, and skip to the Frontends section. From within the Subnets window of my-custom-vnet, select +Subnet and enter the following values:
Setting Action Name Enter appgateway-subnet. Subnet address range Keep the default values. For the remainder of the settings, keep the default values.
Select Save to create the new subnet.
Close the Subnets window to return to the Create application gateway window.
Select the following values:
Setting Action Subnet Select the appgateway-subnet you created. Select Next: Frontends, to proceed.
Frontends tab
On the Frontends tab, enter the following values:
Setting Action Frontend IP address type Select Public. Public IP address Select Add new. Enter my-frontend for the name of your frontend and select OK Note
For the Application Gateway v2 SKU, there must be a Public frontend IP. You can have both a public and a private frontend IP configuration, but a private-only frontend IP configuration with no public IP is currently not supported in the v2 SKU. To learn more, read here.
Select Next: Backends.
Backends tab
The backend pool is used to route requests to the appropriate backend servers. Backend pools can be composed of any combination of the following resources:
- NICs
- Public IP addresses
- Internal IP addresses
- Virtual Machine Scale Sets
- Fully qualified domain names (FQDN)
- Multi-tenant back-ends like Azure App Service and Container Apps
In this example, you create a backend pool that targets your container app.
Select Add a backend pool.
Open a new tab and navigate to your container app.
In the Overview window of the Container App, find the Application Url and copy it.
Return to the Backends tab, and enter the following values in the Add a backend pool window:
Setting Action Name Enter my-agw-backend-pool. Add backend pool without targets Select No. Target type Select IP address or FQDN. Target Enter the Container App Application Url you copied and remove the https:// prefix. This location is the FQDN of your container app. Select Add.
On the Backends tab, select Next: Configuration.
Configuration tab
On the Configuration tab, you connect the frontend and backend pool you created using a routing rule.
Select Add a routing rule. Enter the following values:
Setting Action Name Enter my-agw-routing-rule. Priority Enter 1. Under Listener tab, enter the following values:
Setting Action Listener name Enter my-agw-listener. Frontend IP Select Public. Protocol Select HTTPS. If you don't have a certificate you want to use, you can select HTTP Port Enter 443. If you chose HTTP for your protocol, enter 80 and skip to the default/custom domain section. Choose a Certificate Select Upload a certificate. If your certificate is stored in key vault, you can select Choose a certificate from Key Vault. Cert name Enter a name for your certificate. PFX certificate file Select your valid public certificate. Password Enter your certificate password. If you want to use the default domain, enter the following values:
Setting Action Listener Type Select Basic Error page url Leave as No Alternatively, if you want to use a custom domain, enter the following values:
Setting Action Listener Type Select Multi site Host type Select Single Host Names Enter the Custom Domain you wish to use. Error page url Leave as No Select the Backend targets tab and enter the following values:
Toggle to the Backend targets tab and enter the following values:
Setting Action Target type Select my-agw-backend-pool that you created earlier. Backend settings Select Add new. In the Add Backend setting window, enter the following values:
Setting Action Backend settings name Enter my-agw-backend-setting. Backend protocol Select HTTPS. Backend port Enter 443. Use well known CA certificate Select Yes. Override with new host name Select Yes. Host name override Select Pick host name from backend target. Create custom probes Select No. Select Add, to add the backend settings.
In the Add a routing rule window, select Add again.
Select Next: Tags.
Select Next: Review + create, and then select Create.
Add private link to your Application Gateway
You can establish a secured connection to internal-only container app environments by leveraging private link, as it allows your Application Gateway to communicate with your Container App on the backend through the virtual network.
Once the Application Gateway is created, select Go to resource.
From the menu on the left, select Private link, then select Add.
Enter the following values:
Setting Action Name Enter my-agw-private-link. Private link subnet Select the subnet you wish to create the private link with. Frontend IP Configuration Select the frontend IP for your Application Gateway. Under Private IP address settings select Add.
Select Add at the bottom of the window.
Verify the container app
Find the public IP address for the application gateway on its Overview page, or you can search for the address. To search, select All resources and enter my-container-apps-agw-pip in the search box. Then, select the IP in the search results.
Navigate to the public IP address of the application gateway.
Your request is automatically routed to the container app, which verifies the application gateway was successfully created.
Clean up resources
When you no longer need the resources that you created, delete the resource group. When you delete the resource group, you also remove all the related resources.
To delete the resource group:
On the Azure portal menu, select Resource groups or search for and select Resource groups.
On the Resource groups page, search for and select my-container-apps.
On the Resource group page, select Delete resource group.
Enter my-container-apps under TYPE THE RESOURCE GROUP NAME and then select Delete