WEBVTT 0:00:02.560000 --> 0:00:09.600000 If you've watched any of my videos on INE about web apps, you're probably 0:00:09.600000 --> 0:00:14.260000 aware that I am absolutely a big proponent of using web apps. 0:00:14.260000 --> 0:00:18.600000 But one thing that you need to think about if you're going to implement 0:00:18.600000 --> 0:00:22.420000 a web-based workload, frankly, whether it's in web apps or if it's in 0:00:22.420000 --> 0:00:27.460000 another format such as virtual machine infrastructure as a service, is 0:00:27.460000 --> 0:00:29.120000 how you're going to protect that web app. 0:00:29.120000 --> 0:00:32.460000 And that's what we're going to spend a few minutes talking about in this 0:00:32.460000 --> 0:00:35.180000 video. Now, some of the things I'm going to bring up, I'm really just 0:00:35.180000 --> 0:00:38.860000 going to hit on because they are covered in depth in other videos. 0:00:38.860000 --> 0:00:41.500000 But let's go ahead and let's look at the big picture. 0:00:41.500000 --> 0:00:44.760000 Okay, I want to start out by looking at the web protection or web app 0:00:44.760000 --> 0:00:46.240000 protection options. 0:00:46.240000 --> 0:00:49.060000 What can we do? What are the things that we have at our disposal that 0:00:49.060000 --> 0:00:52.740000 are going to really allow us to shore that up? 0:00:52.740000 --> 0:00:57.660000 And then I want to dive in a little bit and think about service endpoints 0:00:57.660000 --> 0:01:02.320000 and web application firewalls and how they really work together. 0:01:02.320000 --> 0:01:06.400000 And we'll talk a little bit about security center as well. 0:01:06.400000 --> 0:01:08.920000 And then I'm going to go through a demonstration of some of the things 0:01:08.920000 --> 0:01:11.060000 you can do to protect a web app. 0:01:11.060000 --> 0:01:15.180000 Specifically, we're going to look at integrating service endpoints with 0:01:15.180000 --> 0:01:16.900000 web application firewall. 0:01:16.900000 --> 0:01:20.720000 So let's go ahead and let's jump into this. 0:01:20.720000 --> 0:01:26.920000 Now, when we start out, when we think about our options, right, for me, 0:01:26.920000 --> 0:01:32.940000 let's go back there a sec, for me, the options kind of fall into three 0:01:32.940000 --> 0:01:35.920000 categories. You know, if we think about our web app, right, so here's 0:01:35.920000 --> 0:01:37.940000 our web app. We've got a web app. 0:01:37.940000 --> 0:01:43.360000 That's awesome. We'll say WA for web app. 0:01:43.360000 --> 0:01:48.060000 All right, and then somewhere over here, we've got a user with a fairly 0:01:48.060000 --> 0:01:52.960000 oddly shaped head, but that's okay. 0:01:52.960000 --> 0:01:56.160000 The user wants to use a web app, but really, if you think about it, when 0:01:56.160000 --> 0:01:59.440000 you use a web app, you're not just using the web app. 0:01:59.440000 --> 0:02:04.940000 You're also using typically things behind the web app, right? 0:02:04.940000 --> 0:02:07.640000 Maybe you've got an API service. 0:02:07.640000 --> 0:02:09.500000 Maybe you've got a database. 0:02:09.500000 --> 0:02:13.860000 Maybe you've got file storage. 0:02:13.860000 --> 0:02:19.520000 Right? But when that user is connecting to the web app, that web app is 0:02:19.520000 --> 0:02:22.960000 really connecting to all these back end things as well. 0:02:22.960000 --> 0:02:26.320000 So if you really think about it, what you want to do is you want to make 0:02:26.320000 --> 0:02:30.880000 sure that you've got a protection solution that's protecting every part 0:02:30.880000 --> 0:02:32.220000 of that web application. 0:02:32.220000 --> 0:02:36.180000 All right, and you know, what I would say is we're going to talk about 0:02:36.180000 --> 0:02:38.020000 things that you can do at the web app level. 0:02:38.020000 --> 0:02:40.820000 That was the right thing there. 0:02:40.820000 --> 0:02:44.520000 Now, I'm not mentioned a few things that can help you with the back end 0:02:44.520000 --> 0:02:48.980000 protection, all right, but there's also, as I said, videos on that. 0:02:48.980000 --> 0:02:52.760000 But I also want to talk about being able to put a little bit in front 0:02:52.760000 --> 0:02:58.160000 of that so that rather than say having a user connect to your web app 0:02:58.160000 --> 0:03:05.460000 directly, instead, that user is going to connect via some kind of front 0:03:05.460000 --> 0:03:07.360000 end protection. Right? 0:03:07.360000 --> 0:03:10.820000 And we're going to talk about the web application firewall and really 0:03:10.820000 --> 0:03:16.980000 different ways that you can implement the web application firewall to 0:03:16.980000 --> 0:03:18.380000 further protect the web app. 0:03:18.380000 --> 0:03:22.240000 Right? So we want to have this layered protection, this defense and depth 0:03:22.240000 --> 0:03:28.320000 capability where we've got, you know, really the best options that are 0:03:28.320000 --> 0:03:31.640000 available at our disposal to protect our web app. 0:03:31.640000 --> 0:03:34.920000 Now, the next thing I want to do is just go through really just a quick 0:03:34.920000 --> 0:03:39.480000 list of what some of the options are that we have across board. 0:03:39.480000 --> 0:03:42.280000 As I said, we're not going to dive into these, right, but just to kind 0:03:42.280000 --> 0:03:45.840000 of get you to think about what our options are. 0:03:45.840000 --> 0:03:48.880000 All right. So one of the things that we have with web app, of course, 0:03:48.880000 --> 0:03:51.920000 is we have authentication and role based access control. 0:03:51.920000 --> 0:03:54.380000 And we have two layers of authentication. 0:03:54.380000 --> 0:04:00.180000 We have the idea of authenticating before you can access and modify a 0:04:00.180000 --> 0:04:04.600000 web app itself, right, through role based access control, through Azure 0:04:04.600000 --> 0:04:09.260000 AD and through the standard Azure resource management model. 0:04:09.260000 --> 0:04:13.680000 Right? But we also actually have the ability to layer on top end user 0:04:13.680000 --> 0:04:17.980000 authentication. Even if there's not authentication baked into the application, 0:04:17.980000 --> 0:04:19.660000 you can still layer on top of that. 0:04:19.660000 --> 0:04:20.440000 So you know what? 0:04:20.440000 --> 0:04:23.680000 Anybody coming to this application before they use it, they've got to 0:04:23.680000 --> 0:04:25.060000 get through an authentication process. 0:04:25.060000 --> 0:04:29.860000 Now, I'm not a huge fan of doing that in isolation from the application 0:04:29.860000 --> 0:04:31.520000 itself, but it certainly is an option. 0:04:31.520000 --> 0:04:37.360000 One of the most important developments, uh, evolutions within the Azure 0:04:37.360000 --> 0:04:41.480000 environment, in my opinion, from a security standpoint is service endpoints. 0:04:41.480000 --> 0:04:45.920000 And this is something that I remember I was at a conference several years 0:04:45.920000 --> 0:04:51.060000 ago. And one of the issues that people had with using some of the platform 0:04:51.060000 --> 0:04:56.100000 services in Azure is the fact that, you know, even if you are implementing 0:04:56.100000 --> 0:05:00.120000 security and authentication and authorization, it still has a public endpoint 0:05:00.120000 --> 0:05:02.920000 and that public endpoint can still be hit. 0:05:02.920000 --> 0:05:07.760000 And really, for me, that's what service endpoints can really help with 0:05:07.760000 --> 0:05:12.340000 and get around. Okay, we also have application gateway in front door and 0:05:12.340000 --> 0:05:16.600000 web application firewall and application gateway and front door do very 0:05:16.600000 --> 0:05:21.520000 similar things. Application gateway being more regional and front door 0:05:21.520000 --> 0:05:23.200000 being more global. 0:05:23.200000 --> 0:05:27.400000 And there's a few other differences as well, but in terms of web apps, 0:05:27.400000 --> 0:05:30.520000 both can be used, although differently to protect the web app. 0:05:30.520000 --> 0:05:32.600000 You absolutely have encryption settings. 0:05:32.600000 --> 0:05:35.280000 For example, you can require certain level of TLS. 0:05:35.280000 --> 0:05:39.700000 You can even require, uh, if need be, you can require client certificates 0:05:39.700000 --> 0:05:41.980000 for connectivity to your web app. 0:05:41.980000 --> 0:05:46.800000 All right, one of the things I think is absolutely huge in terms of service 0:05:46.800000 --> 0:05:50.340000 security is managed identity. 0:05:50.340000 --> 0:05:53.880000 And I talk about managed identity in other places and probably if you 0:05:53.880000 --> 0:05:57.920000 watch a video on that, you realize I'm, shall we say, a proponent, but 0:05:57.920000 --> 0:06:03.840000 that ability to allow your web app to interact with resource, to interact 0:06:03.840000 --> 0:06:09.020000 with the data plane of resources, such as Azure SQL database, such as 0:06:09.020000 --> 0:06:14.540000 storage accounts, with an identity that is controlled by Azure and has 0:06:14.540000 --> 0:06:20.960000 role based access control rather than having to have a connection string 0:06:20.960000 --> 0:06:24.580000 that somewhere somehow is going to be stored. 0:06:24.580000 --> 0:06:29.020000 Love that. We also have deep diagnostics. 0:06:29.020000 --> 0:06:34.440000 And if you take a look at the application insights capabilities, just 0:06:34.440000 --> 0:06:37.060000 tremendous capabilities in terms of collecting data. 0:06:37.060000 --> 0:06:42.120000 Now, there are some limitations on that in terms of the fact that the 0:06:42.120000 --> 0:06:46.500000 integrated application insights at the time of this recording only work 0:06:46.500000 --> 0:06:50.120000 with Windows hosted web apps. 0:06:50.120000 --> 0:06:54.660000 But, you know, if you fall in that category, fantastic capabilities. 0:06:54.660000 --> 0:06:56.740000 Also, key vault integration. 0:06:56.740000 --> 0:06:58.600000 And that's one of the things I really like. 0:06:58.600000 --> 0:07:01.720000 That was also a relatively recent addition. 0:07:01.720000 --> 0:07:05.660000 And I kind of look at that as hand in hand with managed identity. 0:07:05.660000 --> 0:07:08.500000 Right. If I'm using a managed identity and I'm accessing, let's say, an 0:07:08.500000 --> 0:07:13.940000 Azure SQL database, then without putting any credentials anywhere, I can 0:07:13.940000 --> 0:07:29.800000 have my web app access the data that it needs in a controlled way. 0:07:29.800000 --> 0:07:35.380000 So, I'm going to put it in the settings for a web app. 0:07:35.380000 --> 0:07:37.060000 And those are encrypted and stored. 0:07:37.060000 --> 0:07:41.640000 But what I really like is I can actually take my settings. 0:07:41.640000 --> 0:07:42.820000 I can put them in key vault. 0:07:42.820000 --> 0:07:46.440000 So it's not only encrypted, it could be encrypted with my own key. 0:07:46.440000 --> 0:07:51.180000 It is rights controlled from both policy and role based access control 0:07:51.180000 --> 0:07:53.640000 perspectives and it's audited. 0:07:53.640000 --> 0:07:57.180000 And I'm not going to go down that road as much as I like it because there's 0:07:57.180000 --> 0:07:58.120000 another video on that. 0:07:58.120000 --> 0:08:00.800000 We've got some good coverage of key vault here. 0:08:00.800000 --> 0:08:04.240000 But that is definitely something that you want to think about. 0:08:04.240000 --> 0:08:10.300000 Okay. And as I say, kind of in line with the managed identity. 0:08:10.300000 --> 0:08:15.960000 Now, what I'd like to do is kind of think about protecting web apps from 0:08:15.960000 --> 0:08:19.200000 a kind of a practical standpoint. 0:08:19.200000 --> 0:08:22.620000 And really, there's two parts of this that go together. 0:08:22.620000 --> 0:08:30.000000 And they are the web application firewall and service endpoints. 0:08:30.000000 --> 0:08:35.220000 Okay. And if you're not familiar, I've got, let's say I've got a web application, 0:08:35.220000 --> 0:08:40.820000 right? And if I've got a web application, what that means, by default, 0:08:40.820000 --> 0:08:43.820000 is that I've got a public endpoint. 0:08:43.820000 --> 0:08:46.400000 That is an Internet accessible endpoint. 0:08:46.400000 --> 0:08:52.080000 Right? And that means that anybody from anywhere can access the endpoint. 0:08:52.080000 --> 0:08:55.860000 Now, hopefully I've got good security so that I'm locking that down. 0:08:55.860000 --> 0:08:59.960000 But that's something that makes a lot of people, including myself, a little 0:08:59.960000 --> 0:09:01.100000 bit nervous about. 0:09:01.100000 --> 0:09:06.860000 So what we have now is we have this idea of a service endpoint. 0:09:06.860000 --> 0:09:16.880000 And service endpoints are supported across a wide range of services and 0:09:16.880000 --> 0:09:19.880000 web apps and application services in general. 0:09:19.880000 --> 0:09:23.760000 We're not the first tool to get the first service to get service endpoints, 0:09:23.760000 --> 0:09:26.460000 but I think they're one of the most important. 0:09:26.460000 --> 0:09:31.140000 Okay. So what I can do with the service endpoint is I can restrict what 0:09:31.140000 --> 0:09:34.400000 has access to my web app. 0:09:34.400000 --> 0:09:39.800000 In fact, I could restrict what has access to my web app down to a specific 0:09:39.800000 --> 0:09:43.420000 virtual network. 0:09:43.420000 --> 0:09:47.060000 Okay. And so if I've got a service endpoint and it's set up with this 0:09:47.060000 --> 0:09:52.480000 virtual network, what that means is that there is no longer a publicly 0:09:52.480000 --> 0:09:54.680000 accessible endpoint. 0:09:54.680000 --> 0:10:01.200000 And so any traffic that's going to that web app would have to go through 0:10:01.200000 --> 0:10:06.000000 that virtual network. 0:10:06.000000 --> 0:10:06.920000 All right. Well, okay. 0:10:06.920000 --> 0:10:12.180000 That means it's only local, not necessarily because what we could do is 0:10:12.180000 --> 0:10:21.360000 we could set up, for example, an application gateway. 0:10:21.360000 --> 0:10:26.520000 And I can set up an application gateway and I could set that up with a 0:10:26.520000 --> 0:10:30.460000 web application firewall and many other security settings. 0:10:30.460000 --> 0:10:35.580000 Right. And so that is actually part of a virtual network. 0:10:35.580000 --> 0:10:37.940000 It's got a local identity within that virtual network. 0:10:37.940000 --> 0:10:42.240000 And then anyone coming in. 0:10:42.240000 --> 0:10:44.440000 There we go. A little bit better. 0:10:44.440000 --> 0:10:49.580000 Anybody coming in rather than going directly against the web app, now 0:10:49.580000 --> 0:10:52.920000 they've got to come in through my application gateway and through the 0:10:52.920000 --> 0:10:54.540000 web application firewall. 0:10:54.540000 --> 0:10:57.040000 Now, there's another alternative that I can use. 0:10:57.040000 --> 0:10:59.100000 It also supports web application firewall. 0:10:59.100000 --> 0:11:02.740000 And that is the Azure Front Door Service. 0:11:02.740000 --> 0:11:12.740000 Right. And if I have the Front Door Service, then I could direct the user 0:11:12.740000 --> 0:11:17.040000 to go through the Front Door Service and the Front Door Service, by the 0:11:17.040000 --> 0:11:22.960000 way, can run web application firewall and have access. 0:11:22.960000 --> 0:11:25.080000 Now, what about that security endpoint? 0:11:25.080000 --> 0:11:34.940000 I can also then add firewall rules to the web app to allow that Front 0:11:34.940000 --> 0:11:36.160000 Door Service in. 0:11:36.160000 --> 0:11:39.760000 I just need to know what the IP address ranges for the Front Door Service 0:11:39.760000 --> 0:11:43.660000 and fortunately for me, that's published by Microsoft. 0:11:43.660000 --> 0:11:48.380000 Okay. So really when we think about protecting web apps, we're thinking 0:11:48.380000 --> 0:11:50.280000 about protecting web apps. 0:11:50.280000 --> 0:11:56.860000 And I'm a huge fan of the firewall rules slash the service endpoints. 0:11:56.860000 --> 0:11:58.740000 Right. And then looking at ways that we can use web apps. 0:11:58.740000 --> 0:12:02.340000 We can apply things like the web application firewall using that. 0:12:02.340000 --> 0:12:06.820000 Now, speaking of the web application firewall. 0:12:06.820000 --> 0:12:14.940000 And I was going to have this massive list of all the things that the web 0:12:14.940000 --> 0:12:17.020000 application firewall protects against. 0:12:17.020000 --> 0:12:20.160000 But then I kind of thought that if you're watching this video, you can 0:12:20.160000 --> 0:12:21.260000 probably pull that list up. 0:12:21.260000 --> 0:12:23.820000 So I have literally just the highlights here. 0:12:23.820000 --> 0:12:28.400000 It's entirely possible also when I pulled the entire list in from Microsoft, 0:12:28.400000 --> 0:12:29.860000 it kind of spanned three slides. 0:12:29.860000 --> 0:12:31.900000 That just didn't seem like a fun presentation. 0:12:31.900000 --> 0:12:37.140000 But I do recommend that you take a look at the documentation for web application 0:12:37.140000 --> 0:12:44.080000 firewall because that's really going to give you an idea of the breadth 0:12:44.080000 --> 0:12:45.240000 of what it protects. 0:12:45.240000 --> 0:12:47.060000 Also, I kind of demonstrate it. 0:12:47.060000 --> 0:12:48.100000 So you'll see it. 0:12:48.100000 --> 0:12:51.240000 But I like the summary that's available in Microsoft documentation. 0:12:51.240000 --> 0:12:55.840000 Just do a search for web application firewall under docs.martself.com. 0:12:55.840000 --> 0:13:01.000000 Okay. As I mentioned, it is associated right now with two different services. 0:13:01.000000 --> 0:13:05.260000 There's the front door, which is that global service. 0:13:05.260000 --> 0:13:07.420000 And there's also application gateway. 0:13:07.420000 --> 0:13:09.560000 Now I talk about those in other videos. 0:13:09.560000 --> 0:13:13.180000 And definitely, this is something honestly I still have to look at every 0:13:13.180000 --> 0:13:18.400000 time to get my head around is kind of how the overlaps are. 0:13:18.400000 --> 0:13:22.840000 And how similar the front door services to the application gateway again 0:13:22.840000 --> 0:13:26.320000 in some ways. Front door does more subtle differences. 0:13:26.320000 --> 0:13:28.420000 But you should take a look at that. 0:13:28.420000 --> 0:13:32.540000 Again, some of these things, SQL injection, cross-site scripting, the 0:13:32.540000 --> 0:13:37.200000 big ones, tons of common web attacks, SQL injection. 0:13:37.200000 --> 0:13:38.360000 Oh, that's right up the top. 0:13:38.360000 --> 0:13:39.740000 Sorry about that. 0:13:39.740000 --> 0:13:43.000000 Also crawler scanners, other vulnerabilities, and you can add your own 0:13:43.000000 --> 0:13:45.980000 custom rules, which is actually, I think, pretty awesome. 0:13:45.980000 --> 0:13:53.160000 All right. Now, in addition to that, we do have security center. 0:13:53.160000 --> 0:13:58.580000 And security center, first of all, you do need the standard tier of security 0:13:58.580000 --> 0:14:04.520000 center. But you can then bring in web apps and function apps and even 0:14:04.520000 --> 0:14:09.300000 app service environments and have those protected and really monitored 0:14:09.300000 --> 0:14:13.020000 and have a learning setup through security center. 0:14:13.020000 --> 0:14:18.580000 And so just something to be aware of as an option that you have for protecting 0:14:18.580000 --> 0:14:20.800000 your web applications. 0:14:20.800000 --> 0:14:24.740000 Right. But also keep in mind that with that service endpoint concept, 0:14:24.740000 --> 0:14:31.560000 if you have your own network virtual service, you can run those and you 0:14:31.560000 --> 0:14:33.060000 want to run traffic through those. 0:14:33.060000 --> 0:14:35.840000 Now you can in a very secured way. 0:14:35.840000 --> 0:14:39.260000 All right. So what I'd like to do next is I would like to go ahead and 0:14:39.260000 --> 0:14:42.940000 demonstrate protecting a web application. 0:14:42.940000 --> 0:14:45.940000 I've got a web application, very simple web application. 0:14:45.940000 --> 0:14:49.780000 And right now, it doesn't really have a whole lot of protection, but I'm 0:14:49.780000 --> 0:14:55.200000 going to show you how you can provision an application gateway and set 0:14:55.200000 --> 0:14:56.120000 that up to protect it. 0:14:56.120000 --> 0:14:59.960000 And I'm also going to show you how you can provision and set up a front 0:14:59.960000 --> 0:15:03.960000 door service to also protect your web application. 0:15:03.960000 --> 0:15:06.680000 Now, in both cases, I will tell you, I'm going to walk through the provisioning 0:15:06.680000 --> 0:15:09.040000 process, but I have these already provisioned. 0:15:09.040000 --> 0:15:11.160000 Okay. Actually prepared for this. 0:15:11.160000 --> 0:15:13.920000 And so I want to take you through that, take you through the process, 0:15:13.920000 --> 0:15:17.380000 but then show you the result and show you how you would tie together. 0:15:17.380000 --> 0:15:24.200000 All right. Let's go ahead and let's jump into that. 0:15:24.200000 --> 0:15:28.060000 Here I have an application service, a very simple application service. 0:15:28.060000 --> 0:15:33.440000 Right now, it's really not under any particular protection. 0:15:33.440000 --> 0:15:37.380000 I just bring this up and it tells me, okay, here's a server that's coming 0:15:37.380000 --> 0:15:50.660000 from here is the URL that is associated with this web app right now. 0:15:50.660000 --> 0:15:52.820000 And that's not really critical. 0:15:52.820000 --> 0:15:56.860000 Okay. Now, if I want to protect this, a couple different options. 0:15:56.860000 --> 0:16:00.520000 First option would be to use application gateway. 0:16:00.520000 --> 0:16:03.080000 Okay. And if I wanted to set up an application gateway, and like I said, 0:16:03.080000 --> 0:16:07.160000 I'm actually going to go through this, everything except actually creating 0:16:07.160000 --> 0:16:10.440000 it. The whole provisioning process here. 0:16:10.440000 --> 0:16:11.620000 So I'm going to go and say, you know what? 0:16:11.620000 --> 0:16:13.620000 I want an application gateway. 0:16:13.620000 --> 0:16:15.380000 So I create it. Okay. 0:16:15.380000 --> 0:16:18.220000 It's going to demo web app needs a name. 0:16:18.220000 --> 0:16:24.040000 Oh, apparently caps locked it. 0:16:24.040000 --> 0:16:27.180000 That's terrible. 0:16:27.180000 --> 0:16:29.200000 That's better. All right. 0:16:29.200000 --> 0:16:31.000000 We're going to put this thing in. 0:16:31.000000 --> 0:16:35.060000 Not surprisingly, east US. 0:16:35.060000 --> 0:16:38.260000 Okay. Now it's got a tier. 0:16:38.260000 --> 0:16:43.000000 And what I'm going to do is I'm going to select web application firewall, 0:16:43.000000 --> 0:16:44.900000 laugh V2. All right. 0:16:44.900000 --> 0:16:47.140000 I don't want all the scaling, not that it matters. 0:16:47.140000 --> 0:16:48.600000 I'm not just going to say this. 0:16:48.600000 --> 0:16:53.380000 The firewall is enabled and I can either use detection or prevention. 0:16:53.380000 --> 0:16:56.680000 Okay. I'm not going to use availability zone HTTP. 0:16:56.680000 --> 0:17:01.440000 And I am going to associate this with a virtual network. 0:17:01.440000 --> 0:17:04.720000 Okay. Now it's going to end up not liking this because I already have 0:17:04.720000 --> 0:17:07.540000 something on that virtual network and that's fine. 0:17:07.540000 --> 0:17:09.680000 Because I'm not actually doing it. 0:17:09.680000 --> 0:17:14.800000 All right. Next says, okay, for your for your web application or for your 0:17:14.800000 --> 0:17:17.800000 application gateway, you need a front end IP address. 0:17:17.800000 --> 0:17:19.180000 I can make a public or private. 0:17:19.180000 --> 0:17:21.400000 You know, I'm just going to make a private because I have to do less. 0:17:21.400000 --> 0:17:23.960000 Oops. Can't make that private. 0:17:23.960000 --> 0:17:33.020000 Have to have a public and terrible name, but we'll go with it. 0:17:33.020000 --> 0:17:34.640000 Now the back ends. 0:17:34.640000 --> 0:17:36.760000 Okay. What are we going to set this up with? 0:17:36.760000 --> 0:17:41.500000 I'm going to create a back end pool and say web app. 0:17:41.500000 --> 0:17:46.620000 And I'm going to add an app service. 0:17:46.620000 --> 0:17:49.860000 And I'm going to add my app service. 0:17:49.860000 --> 0:17:53.260000 All right. And so now I'm saying, all right, this is going to have an 0:17:53.260000 --> 0:17:54.200000 application gateway. 0:17:54.200000 --> 0:17:55.640000 It's kind of a public IP address. 0:17:55.640000 --> 0:17:57.220000 It's going to have a back end. 0:17:57.220000 --> 0:17:59.440000 Next is configuration. 0:17:59.440000 --> 0:18:02.180000 Have to set up some routing rules here. 0:18:02.180000 --> 0:18:07.500000 Give it a listener. 0:18:07.500000 --> 0:18:11.800000 Give it a front end IP. 0:18:11.800000 --> 0:18:14.140000 I will say HTTP. 0:18:14.140000 --> 0:18:15.700000 All the rest of that is good. 0:18:15.700000 --> 0:18:19.900000 Set up a back end target. 0:18:19.900000 --> 0:18:23.940000 Great new HTTP settings. 0:18:23.940000 --> 0:18:29.660000 And I am blazing through this because this is done in other videos. 0:18:29.660000 --> 0:18:31.580000 So, you know, get the gist of it. 0:18:31.580000 --> 0:18:35.060000 If you want to follow in detail, you certainly can go and take a look 0:18:35.060000 --> 0:18:37.620000 at some of the application gateway videos. 0:18:37.620000 --> 0:18:39.240000 I think there's probably more than one. 0:18:39.240000 --> 0:18:41.660000 All right. So now, however, I have it set up. 0:18:41.660000 --> 0:18:43.400000 All right. Good tags. 0:18:43.400000 --> 0:18:45.240000 And then I would review and create. 0:18:45.240000 --> 0:18:47.480000 There we go. I could create this. 0:18:47.480000 --> 0:18:51.700000 But I'm not going to because I already have it. 0:18:51.700000 --> 0:18:56.360000 Okay. Now, the one thing is just because I have application gateway and 0:18:56.360000 --> 0:19:02.360000 if I go to my application gateway, okay, I see it's got an IP address. 0:19:02.360000 --> 0:19:07.460000 And if I copy that IP address. 0:19:07.460000 --> 0:19:10.160000 And I go to that IP address. 0:19:10.160000 --> 0:19:15.900000 Awesome. I am going through my application gateway. 0:19:15.900000 --> 0:19:20.940000 Now, the application gateway ends up telling the server that it's going 0:19:20.940000 --> 0:19:25.260000 to its standard URL, which is fine. 0:19:25.260000 --> 0:19:27.600000 Notice, interestingly enough, it's different. 0:19:27.600000 --> 0:19:30.040000 I have a custom URL and that's the built in URL. 0:19:30.040000 --> 0:19:31.800000 Again, not really important. 0:19:31.800000 --> 0:19:36.560000 That's great. I'm going through the application gateway, but I am not 0:19:36.560000 --> 0:19:38.740000 limited to the application gateway. 0:19:38.740000 --> 0:19:40.940000 All right. Somebody could still go in directly. 0:19:40.940000 --> 0:19:46.220000 So what I want to do is I want to go to the actual web app. 0:19:46.220000 --> 0:19:53.940000 And I'm going to go down here to somewhere around here, networking. 0:19:53.940000 --> 0:20:01.480000 Okay. Now, I will tell you when it comes to networking settings and service 0:20:01.480000 --> 0:20:04.580000 endpoints, the terminology is definitely inconsistent. 0:20:04.580000 --> 0:20:09.460000 The way I do this for a web app is different than the way I do this for 0:20:09.460000 --> 0:20:13.820000 a storage account, but you kind of get used to that. 0:20:13.820000 --> 0:20:14.800000 And you know it's there. 0:20:14.800000 --> 0:20:17.220000 What's important is knowing it's there and knowing you can get to it. 0:20:17.220000 --> 0:20:19.580000 And of course, if you're going to take an exam, it's probably a good idea 0:20:19.580000 --> 0:20:22.780000 to take a look. Anyways, okay, here I am. 0:20:22.780000 --> 0:20:23.820000 I'm at my web app. 0:20:23.820000 --> 0:20:26.240000 I'm going to add a rule. 0:20:26.240000 --> 0:20:27.920000 And I'm going to add a rule. 0:20:27.920000 --> 0:20:30.320000 And this is going to be a G for application gateway. 0:20:30.320000 --> 0:20:32.120000 It's my application gateway rule. 0:20:32.120000 --> 0:20:35.000000 I'm going to give this a priority of 300. 0:20:35.000000 --> 0:20:39.620000 All right. And I'm going to set the type to be virtual network. 0:20:39.620000 --> 0:20:43.420000 And I have to pick a virtual network. 0:20:43.420000 --> 0:20:48.080000 And that is the virtual network that has my current application gateway. 0:20:48.080000 --> 0:20:52.920000 And as I said, I set up that gateway literally exactly the way that, well, 0:20:52.920000 --> 0:20:56.740000 actually not quite exactly, almost exactly the way that I set up the one 0:20:56.740000 --> 0:20:57.720000 that I was showing you. 0:20:57.720000 --> 0:21:02.300000 The only difference is, is that I did tell the application gateway to 0:21:02.300000 --> 0:21:08.060000 alias the host header because that's required for web apps. 0:21:08.060000 --> 0:21:09.260000 But that was just one click. 0:21:09.260000 --> 0:21:13.220000 I don't think it's necessarily worth it to go check that out. 0:21:13.220000 --> 0:21:15.060000 Now I have that set up. 0:21:15.060000 --> 0:21:17.560000 Okay, but do I believe it? 0:21:17.560000 --> 0:21:22.000000 There we go. As soon as I try to get there now, I'm trying to go directly. 0:21:22.000000 --> 0:21:23.420000 I now get a 403. 0:21:23.420000 --> 0:21:27.340000 Okay. So I can no longer go just to the directly to the app service, which 0:21:27.340000 --> 0:21:29.740000 really is exactly what I want. 0:21:29.740000 --> 0:21:35.200000 Okay. But if I go back to my application gateway. 0:21:35.200000 --> 0:21:42.840000 And once again, copy the IP address because I didn't bother to set up 0:21:42.840000 --> 0:21:44.640000 a DNS alias for it. 0:21:44.640000 --> 0:21:46.600000 Okay. And I go here. 0:21:46.600000 --> 0:21:52.620000 There we go. I'm in. 0:21:52.620000 --> 0:21:57.980000 Right. So now I'm forcing traffic through my application gateway. 0:21:57.980000 --> 0:22:02.540000 All right. Last thing I want to show you is how I would do this with Azure 0:22:02.540000 --> 0:22:05.620000 Front Door. But what's interesting with Front Doors, before you set up 0:22:05.620000 --> 0:22:10.740000 Front Door, you actually have to set up a web application firewall policy. 0:22:10.740000 --> 0:22:14.220000 And the really cool thing about that is that it kind of shows you what's 0:22:14.220000 --> 0:22:17.600000 available in web application. 0:22:17.600000 --> 0:22:18.400000 Firewall options. 0:22:18.400000 --> 0:22:21.700000 So I'm going to go to web application firewall policy. 0:22:21.700000 --> 0:22:25.020000 Just says web application firewall here, but I promise it's policy. 0:22:25.020000 --> 0:22:26.300000 It says it there. 0:22:26.300000 --> 0:22:29.220000 All right. So I can set up a policy. 0:22:29.220000 --> 0:22:32.700000 And I'm going to say, okay, I want this to be a policy and notice it can 0:22:32.700000 --> 0:22:35.940000 be a global web application firewall for Front Door. 0:22:35.940000 --> 0:22:37.680000 It can be for application gateway. 0:22:37.680000 --> 0:22:40.800000 There will eventually it's in preview now also be available for Azure 0:22:40.800000 --> 0:22:44.740000 CDN. Again, the cool thing is it's completely consistent. 0:22:44.740000 --> 0:22:46.220000 Okay. So I'm going to make sure that I'm going to set up a policy. 0:22:46.220000 --> 0:22:49.720000 I'm going to make it for a global WAF. 0:22:49.720000 --> 0:22:53.520000 It's going to go in demo web app and. 0:22:53.520000 --> 0:22:59.100000 Give it a name demo WAF to. 0:22:59.100000 --> 0:23:00.420000 All right. Cool. 0:23:00.420000 --> 0:23:01.900000 Now for the big one. 0:23:01.900000 --> 0:23:04.220000 Okay. Actually, no, sorry. 0:23:04.220000 --> 0:23:05.160000 Next one's a big one. 0:23:05.160000 --> 0:23:07.800000 All right. So what I want to do, I can set the mode for prevention or 0:23:07.800000 --> 0:23:11.020000 detection. I can set a redirect URL. 0:23:11.020000 --> 0:23:17.160000 Or I can give it a 403 and give it a different response codes. 0:23:17.160000 --> 0:23:20.460000 Then I've got and this is this is part that's really cool. 0:23:20.460000 --> 0:23:22.100000 All right. Here are my managed rules. 0:23:22.100000 --> 0:23:25.280000 So a lot of people say, okay, you got WAF. 0:23:25.280000 --> 0:23:26.380000 What does that protect against? 0:23:26.380000 --> 0:23:27.020000 How do I see that? 0:23:27.020000 --> 0:23:29.020000 It's actually kind of the best way to see it. 0:23:29.020000 --> 0:23:33.720000 Now, first of all, I've got a number of sets of rules. 0:23:33.720000 --> 0:23:36.300000 Only two of them are in general availability. 0:23:36.300000 --> 0:23:38.720000 Two of them are in preview. 0:23:38.720000 --> 0:23:43.400000 So they're updating the default rule set and they're updating a bot protection. 0:23:43.400000 --> 0:23:46.880000 But right now I've got a standard default rule set and martial off bot 0:23:46.880000 --> 0:23:48.120000 manager rule set. 0:23:48.120000 --> 0:23:51.860000 We're going to just go with the standard and then here are all of the 0:23:51.860000 --> 0:23:55.020000 different protections and I'm not going to go through all these, but I 0:23:55.020000 --> 0:23:57.080000 encourage you to take a look at this. 0:23:57.080000 --> 0:24:02.820000 So I've got a whole bunch of HTTP protocol attacks. 0:24:02.820000 --> 0:24:06.780000 I go down here near and dear to my heart, SQL injection. 0:24:06.780000 --> 0:24:09.020000 And not just, okay, here's a SQL injection. 0:24:09.020000 --> 0:24:15.800000 These are all industry standard protections against a wide range of attacks. 0:24:15.800000 --> 0:24:18.460000 Okay. And again, don't want to put you to sleep, but you have control 0:24:18.460000 --> 0:24:22.380000 over that. And if that's not enough, you actually can add your own custom 0:24:22.380000 --> 0:24:27.380000 rules. If we go custom rule, we give it a name, can enable it, give it 0:24:27.380000 --> 0:24:33.360000 a, you know, whether it's a match or a rate limit, say 300. 0:24:33.360000 --> 0:24:37.800000 And then what I can do is different types of match. 0:24:37.800000 --> 0:24:40.020000 So geolocation IP address size or strength. 0:24:40.020000 --> 0:24:45.820000 So if for some reason, I'm going to say, you know what? 0:24:45.820000 --> 0:24:51.780000 If we've got a particular thing within our country and we cannot have 0:24:51.780000 --> 0:24:55.340000 information going to other specific countries, I could actually set that 0:24:55.340000 --> 0:25:00.580000 up as a WAF firewall rule and you can add additional conditions and really 0:25:00.580000 --> 0:25:08.300000 build it out. Next, I would associate that with a front end host if I 0:25:08.300000 --> 0:25:10.040000 want to, or I can go back and do it later. 0:25:10.040000 --> 0:25:12.100000 And then I would review and create. 0:25:12.100000 --> 0:25:14.320000 Okay. So that's the policy. 0:25:14.320000 --> 0:25:17.400000 Next, again, we're talking about front door. 0:25:17.400000 --> 0:25:19.760000 Next would be setting up front door. 0:25:19.760000 --> 0:25:23.520000 So I'm going to go there and I'm going to create front door. 0:25:23.520000 --> 0:25:24.920000 Kind of go through the same thing. 0:25:24.920000 --> 0:25:28.640000 And I realize this video is on this, but I figure it might as well be 0:25:28.640000 --> 0:25:30.380000 consistent here and have one thing. 0:25:30.380000 --> 0:25:33.540000 Okay. So I go through, I've got front door, great. 0:25:33.540000 --> 0:25:36.360000 Then I go to the cool configuration designer. 0:25:36.360000 --> 0:25:38.940000 Get a start out by adding a front end host. 0:25:38.940000 --> 0:25:45.200000 And I'm going to give the host name of demo two because demo should, oh, 0:25:45.200000 --> 0:25:48.060000 do. That is something different. 0:25:48.060000 --> 0:25:53.420000 Okay. So I don't want session affinity, but I do want an application firewall. 0:25:53.420000 --> 0:25:56.620000 And I happen to already have a WAF policy. 0:25:56.620000 --> 0:25:59.880000 You do need a WAF policy before you create a front door if you're going 0:25:59.880000 --> 0:26:01.300000 to use it with the policy. 0:26:01.300000 --> 0:26:04.440000 You can always create the front door first with the WAF. 0:26:04.440000 --> 0:26:07.800000 WAF, excuse me, web application firewall disabled. 0:26:07.800000 --> 0:26:10.480000 Create the policy and then link it. 0:26:10.480000 --> 0:26:14.040000 All right. So it's my front end host. 0:26:14.040000 --> 0:26:15.220000 That's easy. All right. 0:26:15.220000 --> 0:26:20.660000 Then I'll go to a backend pool. 0:26:20.660000 --> 0:26:24.440000 And add a backend host. 0:26:24.440000 --> 0:26:27.140000 Which is app service. 0:26:27.140000 --> 0:26:30.440000 There we go. Actually all right there. 0:26:30.440000 --> 0:26:33.180000 Okay. So the host name, I need web app. 0:26:33.180000 --> 0:26:36.720000 Back end host header and send that ports. 0:26:36.720000 --> 0:26:39.560000 Pretty straightforward. 0:26:39.560000 --> 0:26:41.900000 And then anything else? 0:26:41.900000 --> 0:26:44.880000 Health Probe. Protocol. 0:26:44.880000 --> 0:26:47.440000 High one probe. Awesome. 0:26:47.440000 --> 0:26:50.020000 And then I also set up routing rules. 0:26:50.020000 --> 0:26:51.440000 Very similar slightly. 0:26:51.440000 --> 0:26:57.320000 I like the designer look, but pretty similar to what we have with an app 0:26:57.320000 --> 0:27:00.720000 application gateway. 0:27:00.720000 --> 0:27:02.600000 But there's more to this. 0:27:02.600000 --> 0:27:04.640000 All right. So accepted protocols. 0:27:04.640000 --> 0:27:07.740000 I can select that front end domains. 0:27:07.740000 --> 0:27:09.380000 There's my front end domain. 0:27:09.380000 --> 0:27:11.720000 Patterns, everything. 0:27:11.720000 --> 0:27:13.980000 And then just how I want to route it. 0:27:13.980000 --> 0:27:17.760000 Okay. And there we go. 0:27:17.760000 --> 0:27:19.460000 And then I would review and create it. 0:27:19.460000 --> 0:27:20.760000 Now, like I said, I've already done this. 0:27:20.760000 --> 0:27:23.760000 So I'm not going to create it again. 0:27:23.760000 --> 0:27:27.080000 But what I do want to show you is how that would work. 0:27:27.080000 --> 0:27:30.180000 So if I go to my front door. 0:27:30.180000 --> 0:27:32.760000 Okay. My front door has a URL. 0:27:32.760000 --> 0:27:37.360000 Awesome. I click that and I get a 403. 0:27:37.360000 --> 0:27:39.620000 Right. I get a 403 because. 0:27:39.620000 --> 0:27:41.760000 I am restricting traffic. 0:27:41.760000 --> 0:27:46.900000 Now, unfortunately, when I set up my networking rules for a web app, there's 0:27:46.900000 --> 0:27:49.900000 not an option to just say I want web application firewall. 0:27:49.900000 --> 0:27:52.720000 I mean, excuse me, front door. 0:27:52.720000 --> 0:27:55.840000 But fortunately, it is well published. 0:27:55.840000 --> 0:28:00.420000 And in fact, I just kind of did a search and we'll give this person. 0:28:00.420000 --> 0:28:04.300000 Vincent allows on who I honestly don't know. 0:28:04.300000 --> 0:28:07.080000 But I just did a quick search because I don't remember the IP address 0:28:07.080000 --> 0:28:07.960000 and his came up first. 0:28:07.960000 --> 0:28:21.580000 So I thought I'd give him a shout out. 0:28:21.580000 --> 0:28:24.500000 And go back to my web app. 0:28:24.500000 --> 0:28:28.100000 And allow that in. 0:28:28.100000 --> 0:28:32.220000 So I'm going to go to my web app and go to networking. 0:28:32.220000 --> 0:28:36.200000 And go to access restrictions. 0:28:36.200000 --> 0:28:40.320000 Right. Oh, and by the way, when I added 300, it added a denial above that, 0:28:40.320000 --> 0:28:42.700000 which is cool. Now another rule. 0:28:42.700000 --> 0:28:47.540000 And this one is going to be F D for front door because I'm lazy. 0:28:47.540000 --> 0:28:50.260000 Give this a priority of 400. 0:28:50.260000 --> 0:28:54.080000 It's going to allow type is IP V four. 0:28:54.080000 --> 0:28:56.720000 And I'm going to put in the CIDR. 0:28:56.720000 --> 0:29:00.220000 And then just add that rule. 0:29:00.220000 --> 0:29:05.880000 All right. And so now I have, if all goes well, a web app that is protected 0:29:05.880000 --> 0:29:07.360000 in this case, and this would be redundant. 0:29:07.360000 --> 0:29:11.560000 You wouldn't do this, but I want to show you it's kind of the same process. 0:29:11.560000 --> 0:29:18.160000 I've got a web app that's protected both by a application gateway as well 0:29:18.160000 --> 0:29:21.880000 as a front door in both cases using a web application firewall. 0:29:21.880000 --> 0:29:26.300000 So once again, you know, I can actually just go right there. 0:29:26.300000 --> 0:29:28.380000 I don't need the IP address. 0:29:28.380000 --> 0:29:29.500000 And there we go. 0:29:29.500000 --> 0:29:34.240000 Now, when I click on my front door, right now it's getting through. 0:29:34.240000 --> 0:29:39.280000 It's getting through because I set up my networking to allow it. 0:29:39.280000 --> 0:29:42.160000 And that's the combination when you're talking about security that you 0:29:42.160000 --> 0:29:45.820000 really need to look at is, okay, we have these different components. 0:29:45.820000 --> 0:29:49.120000 How are we going to stitch them together properly to make sure that our 0:29:49.120000 --> 0:29:50.860000 system is as safe as possible?