Forum Discussion
Do I need a Firewall and WAF for Website HTTPS traffic only
After more research, I understand the differences between Azure Firewall and NSGs: I wrongly assumed they were one in the same.
NSGs are good for network layer traffic filtering to resources within VNETs in each subscription.
A firewall is stateful and provides centralized service that can be applied to both network and application layer protection across subscriptions and networks: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
The Azure Firewall complements NSGs, providing defense-in-depth protection.
Question: Does your web service warrant the more granular protections provided by Azure Firewall?
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
Hi Darrick,
Sure no worries. Yes, NSGs provide network layer protection which helps but additional security is needed for sure from a web application perspective.
So yes, I could use a FW however from my investigation, FW provide protection from layer 3-7 however they still fall short re: the latest security attacks such sql injection and cross-site scripting. So Microsoft and other vendors have been deploying "Application Gateway with Web App Firewall" aka WAFs to address this higher layer 7 traffic. WAFs only deal with HTTP/S and Websockets (both over HTTP using ports 80/443)
So if we only allow layer 7 protocols do I really need the FW when the WAF handles that? I believe WAFs also provide that defense in depth and work in conjunction with the NSGs I have setup for front end and back end subnets.
Re: your final question, if we're only dealing with HTTP traffic and the WAF is handling that, does the FW actually provide any other value re: protection.
I'm just trying to find anyone out there who has a web application that is implementing both a FW and WAF. Seems to be one or the other but it seems WAFs have been developed to specifically address layer 7 traffic only.