Thanks for the video!! I was stuck trying to migrate the WAF policy over to the Appgateway thru the Azure Portal. Until I saw this video and used the script!! Thank you so much!
@@CloudInspired Have a presentation on this tomorrow for work hence why I needed it. Only problem I have is getting something to test the WAF. I have 2 VMs running with IIS in the backend but not sure what to use for say a SQL injection or xss.
Thanks for the video. i was stuck trying to configure https. already change HTTP protocol to HTTPS on both side, but the health probe still error (when i use HTTP is working). can you create video how to configure HTTPS?
Hi Tinu, WAF is a feature of the Azure Application Gateway. The App Gateway provides web traffic load balancing that provides application layer (OSI level 7) load balancing. Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2). Load Balancing is built into the Application Gateway by default using an algorithm to provide load balance services. Azure Application Gateway provides web-application firewall capabilities along with load balancing, and can redistribute traffic based on HTTP request attributes. Using a different load balancer would depend on your configuration, some factor to consider (not limited to) the load balancer you are using and location, endpoints (external, internal, location), application, how you route traffic to backend pools or VM scale sets etc. High availability, performance, scalability would also need to be taken into consideration together with application support. Would suggest setting up WAF and testing with your configuration and application in a test environment and running as a proof of concept.
Hello, are you using the Azure Cloud Shell (powershell) within the Azure portal under your subscription to run the script? All I did was from the Microsoft site under docs.microsoft.com/en-us/azure/web-application-firewall/ag/migrate-policy clicked "Try it" where the script is located on that page to open and login to the Azure Cloud Shell within the portal for your subscription. Then copied and pasted the WAF migration script from the Microsoft site into the portal to run it. That worked OK for me. Did you get any errors?
It might be worth checking the following in the Microsoft WAF policies document docs.microsoft.com/en-us/azure/web-application-firewall/ag/migrate-policy under the "Note" section to see if this applies to your WAF configuration: The script does not complete a migration if the following conditions exist: An entire rule is disabled. To complete a migration, make sure an entire rulegroup is not disabled. An exclusion entry(s) with the Equals any operator. To complete a migration, make sure exclusion entries with Equals Any operator is not present. For more information, see the ValidateInput function in the script.
Hello Dane, Thank you for your comment. When you create a routing rule, instead of HTTP choose HTTPS as the protocol and 443 as the port. Also when adding a HTTP setting choose backend protocol as HTTPS, backed port 443. For the NSG firewall (WAF-NSG for the example in this video), allow port 443 to your VMs or webservice on the backend subnet.
During this video tutorial, HTTP was only configured therefore no certificates were required. PFX certificates can be installed on the Application Gateway for SSL. The listener is configured as part of the routing rule. This guide should point you in the right direction to configure HTTPS including certificates docs.microsoft.com/en-us/azure/application-gateway/create-ssl-portal
Please refer to the following to see if helps in your scenario? docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal
Thanks for the video!! I was stuck trying to migrate the WAF policy over to the Appgateway thru the Azure Portal. Until I saw this video and used the script!! Thank you so much!
No problem, glad it helped you out!
@@CloudInspired Have a presentation on this tomorrow for work hence why I needed it. Only problem I have is getting something to test the WAF. I have 2 VMs running with IIS in the backend but not sure what to use for say a SQL injection or xss.
Great video, clear content and wel explained
Thanks Ian. Glad it was helpful!
Can i please get web app code or something which can be helpful?
Hi! Thanks for the video. I've run into some issues where the WAF allows in some IPs but not others. Why do you think this is happening?
good explanation
Thanks and welcome Charles
Very good explaniation👍
Thanks Graham, glad you like it.
Great video. Thank you for sharing
Thanks for watching Ray!
my hero!
Thanks!
Thanks for the video. i was stuck trying to configure https. already change HTTP protocol to HTTPS on both side, but the health probe still error (when i use HTTP is working). can you create video how to configure HTTPS?
Hello, at the routing rule creation (around 06:39) you would need to choose HTTPS for the backend pool and then open up 443 on the NSG firewall.
I already have a load balancer ,so is it okay if i am having a WAF but load balancing is done by a load balancer?
Hi Tinu, WAF is a feature of the Azure Application Gateway.
The App Gateway provides web traffic load balancing that provides application layer (OSI level 7) load balancing.
Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2). Load Balancing is built into the Application Gateway by default using an algorithm to provide load balance services. Azure Application Gateway provides web-application firewall capabilities along with load balancing, and can redistribute traffic based on HTTP request attributes.
Using a different load balancer would depend on your configuration, some factor to consider (not limited to) the load balancer you are using and location, endpoints (external, internal, location), application, how you route traffic to backend pools or VM scale sets etc. High availability, performance, scalability would also need to be taken into consideration together with application support. Would suggest setting up WAF and testing with your configuration and application in a test environment and running as a proof of concept.
Thank you
You're welcome Bijou
THANK YOU!!!
You're welcome!
Great video, but after I run the script there's nothing under MAIN at the prompt and there's no WAF created or associated to the gateway. Any ideas?
Hello, are you using the Azure Cloud Shell (powershell) within the Azure portal under your subscription to run the script? All I did was from the Microsoft site under docs.microsoft.com/en-us/azure/web-application-firewall/ag/migrate-policy clicked "Try it" where the script is located on that page to open and login to the Azure Cloud Shell within the portal for your subscription.
Then copied and pasted the WAF migration script from the Microsoft site into the portal to run it.
That worked OK for me. Did you get any errors?
@@CloudInspired No errors, just gets to the Main at the prompt and nothing loads after main.
It might be worth checking the following in the Microsoft WAF policies document docs.microsoft.com/en-us/azure/web-application-firewall/ag/migrate-policy under the "Note" section to see if this applies to your WAF configuration:
The script does not complete a migration if the following conditions exist:
An entire rule is disabled. To complete a migration, make sure an entire rulegroup is not disabled.
An exclusion entry(s) with the Equals any operator. To complete a migration, make sure exclusion entries with Equals Any operator is not present.
For more information, see the ValidateInput function in the script.
@@oghockey1958 Hit Enter!
@@IceBluemarketingandd Worked for me too!! Asked me if I wanted to overwrite my existing WAF policy. Then boom!!
Hey Fantastic video. Quick Question any idea how to allow HTTPS through--?
Hello Dane, Thank you for your comment.
When you create a routing rule, instead of HTTP choose HTTPS as the protocol and 443 as the port.
Also when adding a HTTP setting choose backend protocol as HTTPS, backed port 443.
For the NSG firewall (WAF-NSG for the example in this video), allow port 443 to your VMs or webservice on the backend subnet.
@@CloudInspiredok--- did you install certs or PFX file on any of the settings?
Listeners? as as well
During this video tutorial, HTTP was only configured therefore no certificates were required.
PFX certificates can be installed on the Application Gateway for SSL.
The listener is configured as part of the routing rule.
This guide should point you in the right direction to configure HTTPS including certificates
docs.microsoft.com/en-us/azure/application-gateway/create-ssl-portal
Why did you create NSG when you have a WAF? :)
This is to lock down network access. Created an NSG for the WAG/WAF subnet and restrict the traffic to that subnet.
how to publish any site in azure waf?
Please refer to the following to see if helps in your scenario?
docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal