Implementing Firewall for function apps with inbound HTTPS traffic

%3CLINGO-SUB%20id%3D%22lingo-sub-2324628%22%20slang%3D%22en-US%22%3EImplementing%20Firewall%20for%20function%20apps%20with%20inbound%20HTTPS%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2324628%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20looking%20to%20implement%20an%20Azure%20Firewall%20for%20filtering%20Inbound%20HTTPS%20traffic%20to%20Azure%20Function%20Apps%20hosted%20in%20premium%20App%20service%20plan.%20Is%20it%20possible%20to%20use%20Azure%20Firewall%20for%20this%20or%20Should%20we%20be%20using%20Azure%20Web%20Application%20Firewall%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EPavan.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2370829%22%20slang%3D%22en-US%22%3ERe%3A%20Implementing%20Firewall%20for%20function%20apps%20with%20inbound%20HTTPS%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2370829%22%20slang%3D%22en-US%22%3ETypically%20you%20want%20to%20use%20WAF%20for%20that%20scenario.%20If%20using%20AzFW%20Premium%2C%20the%20main%20problem%20you%20will%20found%20is%20that%20with%20TLS%20insection%20it%20will%20replace%20the%20public%20cert%20of%20AzFunctions%20with%20a%20self-signed%20one.%20If%20not%20using%20TLS%20inspection%2C%20the%20AzFW%20offers%20little%20added%20value%20from%20a%20security%20perspective%20IMHO.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2371398%22%20slang%3D%22en-US%22%3ERe%3A%20Implementing%20Firewall%20for%20function%20apps%20with%20inbound%20HTTPS%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2371398%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1044016%22%20target%3D%22_blank%22%3E%40pavanpavuluri%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20Firewall%20operate%20at%20layer%204%20while%26nbsp%3B%20WAF%20operate%20at%20layer%207%20.%20Since%20you%20want%20to%20filter%26nbsp%3B%20%26nbsp%3Bhttps%20traffic%20WAF%20is%20more%20suitable%20.%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20also%20find%20in%20the%20FAQ%20this%20%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CH5%20id%3D%22toc-hId--1565619109%22%20id%3D%22toc-hId--1565619116%22%20id%3D%22toc-hId--1565619116%22%20id%3D%22toc-hId--1565619116%22%20id%3D%22toc-hId--1565619140%22%3EDoes%20Azure%20Firewall%20support%20inbound%20traffic%20filtering%3F%3C%2FH5%3E%3CDIV%20class%3D%22content%22%3E%3CP%3EAzure%20Firewall%20supports%20inbound%20and%20outbound%20filtering.%20Inbound%20protection%20is%20typically%20used%20for%20non-HTTP%2FS%20protocols.%20For%20example%20RDP%2C%20SSH%2C%20and%20FTP%20protocols.%20For%20best%20inbound%20HTTP%2FS%20protection%2C%20use%20a%20web%20application%20firewall%20such%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Web%20Application%20Firewall%20(WAF)%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERef%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ffirewall-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ffirewall-faq%3C%2FA%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2371434%22%20slang%3D%22en-US%22%3ERe%3A%20Implementing%20Firewall%20for%20function%20apps%20with%20inbound%20HTTPS%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2371434%22%20slang%3D%22en-US%22%3EThat%20is%20not%20entirely%20correct%2C%20AzFW%20Premium%20with%20features%20such%20as%20TLS%20Inspection%20or%20IDPS%20operates%20at%20layer%207%20as%20well%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2371441%22%20slang%3D%22en-US%22%3ERe%3A%20Implementing%20Firewall%20for%20function%20apps%20with%20inbound%20HTTPS%20traffic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2371441%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20only%20referring%20to%20Azure%20Firewall%20not%20premium%20because%20it's%20still%20in%20preview%20(%20correct%20me%20if%20i'm%20wrong)%20and%20then%20not%20recommended%20for%20production%20use%20.%20Even%20if%20it%20operates%20at%20layer%207%20i%20don't%20get%20the%20point%20to%20use%20a%20firewall%20instead%20of%20WAF%20unless%20you%20tell%20me%20that%20it%20can%20protect%20from%20top%2010%20OWASP%20vulnerabilities%20and%20provide%20Load%20balancing%20options%20as%20application%20gateway%20do.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Team,

 

We are looking to implement an Azure Firewall for filtering Inbound HTTPS traffic to Azure Function Apps hosted in premium App service plan. Is it possible to use Azure Firewall for this or Should we be using Azure Web Application Firewall?

 

Thanks,

Pavan.

5 Replies
Typically you want to use WAF for that scenario. If using AzFW Premium, the main problem you will found is that with TLS insection it will replace the public cert of AzFunctions with a self-signed one. If not using TLS inspection, the AzFW offers little added value from a security perspective IMHO.

@pavanpavuluri 

 

Hi   

Azure Firewall operate at layer 4 while  WAF operate at layer 7 . Since you want to filter   https traffic WAF is more suitable . 

You can also find in the FAQ this :  

Does Azure Firewall support inbound traffic filtering?

Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols. For best inbound HTTP/S protection, use a web application firewall such as Azure Web Application Firewall (WAF).

 

Ref: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

That is not entirely correct, AzFW Premium with features such as TLS Inspection or IDPS operates at layer 7 as well

I'm only referring to Azure Firewall not premium because it's still in preview ( correct me if i'm wrong) and then not recommended for production use . Even if it operates at layer 7 i don't get the point to use a firewall instead of WAF unless you tell me that it can protect from top 10 OWASP vulnerabilities and provide Load balancing options as application gateway do.

I would suggest using Azure Frontdoor and WAF policy, it's a globally resilient resource compared with regional Application Gateway, also less expensive or at least not so high static monthly costs. Don't forget to add IP restrictions with FDID header value on App Service, then you would achieve Nirvana of Security. :) Azure Firewall is more suitable for outbound scanning, however, the new premium preview SKU supports scenarios with Layer 7 and inbound.