Quick post on some learning’s I had whileworking with the Azure Application Gateway. In a nutshell, the Azure Application Gateway can act as a load balancer as well as web application firewall. To learn all about Application Gateway visit here.
This post is not so much about the Azure Application Gateway but a few nuances that I uncounted while configuring a gateway in front of a few web applications.
First, the application gateway supports multi site. In other words, I can put the gateway in front of http://www.sitea.com as well as http://www.siteb.com. Similarly, I can put the gateway in front of http://www.mysite.com as well as subdomain.mysite.com. The information on how to do multi site hosting can be found here. One of the aspects of multi site hosting is the use of host headers. The problem I was facing was I had a few sites with the same domain but different sub domains. I could set up listeners for http://www.domain.com as well as sub.domain.com, but how would I set up a listener for just domain.com. Well Azure Application Gateway supports doing redirects. They can be configure using the Azure Powershell script below. What this will do is redirect any traffic coming to the gateway for domain.com and redirect the traffic to https://www.domain.com.
$GateWayName = "<NAME>"
$RgName = "<ResourceGroupName>"
$FrontEndIPName = "<FrontEndIPName>"
$FrontEndPort = "<FrontEndPort>"
$RedireListener = "<RedireListener>"
$gw = Get-AzureRmApplicationGateway -Name $GateWayName -ResourceGroupName $RgName
$fip = Get-AzureRmApplicationGatewayFrontendIPConfig -Name $FrontEndIPName -ApplicationGateway $gw
$fport = Get-AzureRmApplicationGatewayFrontendPort -Name $FrontEndPort -ApplicationGateway $gw
Add-AzureRmApplicationGatewayHttpListener -ApplicationGateway $gw -Name $RedireListener -FrontendIPConfiguration $fip -FrontendPort $fport -HostName domain.com -Protocol Http
$listener = Get-AzureRmApplicationGatewayHttpListener -Name <name> -ApplicationGateway $gw
Add-AzureRmApplicationGatewayRedirectConfiguration -Name RedirectTowww -RedirectTypePermanent -TargetUrl https://www.domain.com -ApplicationGateway $gw
$redirectconfig = Get-AzureRmApplicationGatewayRedirectConfiguration -Name RedirectTowww -ApplicationGateway $gw
Add-AzureRmApplicationGatewayRequestRoutingRule -ApplicationGateway $gw -Name domain-to-www -RuleType Basic -HttpListener $listener -RedirectConfiguration$redirectconfig
Set-AzureRmApplicationGateway -ApplicationGateway $gw
Next thing I discovered was that by default the Azure Application Gateway supports TLS 1.0. In my opinion this should not be the default setting. I discovered this by running a PCI scan an seeing that my scan failed due to TLS 1.0 being enabled. The good news is there is a way to change the security settings of the gateway. You can create your own customized version but Microsoft also has 3 per-defined profiles. The following script will apply a per-defined profile that will disable TLS 1.0
# You have to change these parameters to match your environment.
$AppGWname = "YourAppGwName"
$RG = "YourResourceGroupName"
$AppGw = get-azurermapplicationgateway -Name $AppGWname -ResourceGroupName $RG
# SSL Predefined Policy
# Set-AzureRmApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName "AppGwSslPolicy20170401" -ApplicationGateway $AppGW
# Update AppGW
# The SSL policy options are not validated or updated on the Application Gateway until this cmdlet is executed.
$SetGW = Set-AzureRmApplicationGateway -ApplicationGateway $AppGW