Gateways
Introduction
Application gateways (AGs) are the entry point for web traffic making requests to our hosted web applications and websites.
Introduction to Application Gateways
An application gateway is a software appliance that integrates applications hosted on a compute instance, in a cloud infrastructure, or in an on-premises server with Identity and Access Management (IAM) for authentication purposes. It acts as a reverse proxy to protect web applications by restricting unauthorized network access. Application gateways offer a solution for remote workers needing to access applications hosted by data centers and cloud solutions, removing the need for a VPN. Key functions of an application gateway:
- Reverse Proxy: It intercepts HTTP requests to applications and ensures users are authenticated with IAM before forwarding the request1. If a user isn't authenticated, the App Gateway redirects them to the sign-in page for credential validation.
- Load Balancing: Azure Application Gateway is a web traffic (OSI layer 7) load balancer that enables you to manage traffic to your web applications. It provides application-level routing and load balancing, which allows for the creation of reliable and scalable websites and web applications.
- Security: As a security measure, application gateways improve the experiences of legitimate users, reduce risk with filtering capabilities, produce similar results to a firewall, and contain traffic logs to help detect malicious activity. They employ standard SSL encryption to protect corporate data flowing through the internet without special endpoint protection.
- Web Application Firewall (WAF): The Azure Application Gateway can act as a WAF, monitoring incoming traffic and intercepting malicious activities to protect web applications from known vulnerabilities.
- Traffic Management: An Application Gateway has traffic management load balancing capability, which tells the system where to send traffic requests and ensures they get back to where they need to go.
Engagement
Contact CET
Review and Approval
AGs are provisioned as part of a wider application deployment so no seperate creation request is needed.
Standards and Conventions
Broadly, three AG technologies are used
- Azure Application Gateway (https://learn.microsoft.com/en-us/azure/application-gateway/overview)
- Netscaler (https://docs.netscaler.com/en-us/citrix-adc.html)
- Azure APIM's API Gateway (https://learn.microsoft.com/en-us/azure/api-management/api-management-key-concepts)
and each play a similar key role in network infrastructure.
Use
Simply put, an application MUST be deployed with a correctly configured application gateway.
DNS
AGs are normally provisioned with CNAMEs and/or static IP A-records. The DNS record values are dictated by infrastructure management, which can periodically lead to changes. Therefore those values should not be directly used in configurations. Instead they should be abstracted (often as part of the wider DNS strategy for the application). As a simple illustration, rather than having something like:
www.example.com. 300 IN CNAME www.example.com.application-infrastructure.net.
www.example.com.application-infrastructure.net. 300 IN A 1.1.1.1
instead it should be something like:
www.example.com. 300 IN CNAME origin.www.example.com.
origin.www.example.com. 300 IN CNAME www.example.com.application-infrastructure.net.
www.example.com.application-infrastructure.net. 300 IN A 1.1.1.1
This is important for maintaining proper control, and insulating production (customer facing) hostnames from underlying infrastructure changes, migration activities etc.
Above is a simple illustration. In practice such an abstraction approach should be used broadly used to maintain control, and allow single DNS record updates rather than having to undertake multiple duplicate updates especially where the application gateway is referenced by multipe applications.
Certificates
See certificates for fuller details, but in summary AG certificates must follow certificate standards
Traffic Management
Any configuration should only be introduced with the wider approach for the application's traffic clearly defined. This approach should include
- hostnames used
- url paths used
- use of CDNs, GTM etc
- other applications (hence AGs) in operation
It is important to note that an AG, whilst excellent at traffic management, is for infrastructure use. It should not be seen as a substitute for a proper traffic management solution for content based redirection required as a result of changes in content or entire websites, which may need to support 1000s of url redirects requested by content owners.
Architecture and Design
Patterns
Security
Application gateways enhance network security through a variety of features:
- Authentication and Access Control: Application gateways integrate with Identity and Access Management (IAM) systems to enforce strong authentication and access control policies, ensuring only authorized users can access sensitive applications and data.
- Web Application Firewall (WAF): Many application gateways have built-in WAF capabilities that protect against common web vulnerabilities like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. The WAF monitors incoming traffic and intercepts malicious activities, providing centralized protection from known vulnerabilities.
- Application-Level Filtering: Application gateways filter traffic at the application level, inspecting HTTP/HTTPS requests to provide granular control over the traffic entering and leaving the network.
- SSL/TLS Termination: Application gateways handle SSL processing, ensuring that traffic between clients and the gateway is encrypted, enhancing the security of data in transit.
- Traffic Filtering: Application gateways filter incoming traffic, ensuring that only authorized users gain access to the network, adding an extra layer of security.
- Protection against Common Web Attacks: Application Gateways offer protection against command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion, as well as HTTP protocol violations and anomalies.
- Customizable Rules: Application gateways allow for the customization of WAF rules and rule groups to suit specific application requirements and eliminate false positives, and the creation of custom rules to suit the specific needs of applications.
- Geo-filtering: Application gateways include geo-filtering capabilities to allow or block traffic from certain countries/regions.
- Bot Mitigation: Application gateways can protect applications from malicious bots using bot mitigation rulesets.
- Monitoring and Logging: Application gateways integrate with monitoring and logging services, providing visibility into traffic patterns, performance metrics, and potential security threats1. They also have real-time WAF logs that are integrated with Azure Monitor to track WAF alerts and monitor trends2.
Implementation
Their setup is done only by trained networking and infrastructure teams