Forum Discussion
Do I need a Firewall and WAF for Website HTTPS traffic only
Hello Azure Community,
I'm looking for some advice or feedback around the need to deploy a Firewall and WAF for Website only solution that uses HTTPS and Websockets on a IaaS platform leveraging Windows Server, IIS and SQL Server.
I've had a couple of comments/suggestions that I should be deploying a Firewall as well, suggesting that a WAF isn't sufficient enough to prevent attacks such as sql injection.
Given that adding a firewall to the solution adds substantial dollars to the monthly bill , I'm looking for any other feedback in terms of how secure a WAF is for layer 7 traffic or what others are deploying for website only traffic. i.e., WAF only or FW and WAF?
To be clear, this isn't necessarily about the dollars but rather is a client throwing money out the door with the addition of the FW when a WAF will do?
Thanks in advance,
Paul
6 Replies
I have a helped deploy a similar solution. If you apply IP restrictions for the use of the site just to your customer's IP sets and other other protocol restrictions at the NSG level then along with WAF and SSL it works pretty nicely.
Hi Abhishek,
Yes that was my thinking as well, however one my clients seems determined to add FW into the mix as well. Perhaps once I tell them how much it will cost, they may change their minds.
So it sounds like neither you nor Darrick see the need for additional FW?
After more research, I understand the differences between Azure Firewall and NSGs: I wrongly assumed they were one in the same.
NSGs are good for network layer traffic filtering to resources within VNETs in each subscription.
A firewall is stateful and provides centralized service that can be applied to both network and application layer protection across subscriptions and networks: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
The Azure Firewall complements NSGs, providing defense-in-depth protection.
Question: Does your web service warrant the more granular protections provided by Azure Firewall?
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
How would adding a firewall add significantly to your monthly bill?
I would think adding strategically placed Network Security Groups to your solution would give you additional adequate protection without significant cost.
Hi there Darrick,
Thanks for your response.
The Firewall appears to be just over $900 US converted to Canadian that's close to $1,200 per month.
The 2 WAF costs $280 CDN per month (have to deploy 2).
The rest of the solution uses a couple of front end and back ends subnets (with NSGs) and couple of burstable VMs in each subnet which are also quite cheap.
Looks like the FW alone costs more per month then rest of this light weight 2-tiered web app total solution.
So if WAF does the job, seems like adding the FW will more than double the costs but not sure it's adding equivalent value (as we're only using HTTPS).
