Secure a VM-based web server sitting behind Azure Front Door + WAF from the internet

%3CLINGO-SUB%20id%3D%22lingo-sub-967278%22%20slang%3D%22en-US%22%3ESecure%20a%20VM-based%20web%20server%20sitting%20behind%20Azure%20Front%20Door%20%2B%20WAF%20from%20the%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-967278%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3EI%20have%20a%20web%20server%20that's%20running%20on%20a%20VM%20inside%20Azure.%20The%20server%20is%20exposed%20to%20the%20internet%20through%20an%20NGINX%20reverse%20proxy%20and%20a%20public%20IP%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20added%20security%2C%20I've%20set%20up%20an%20Azure%20Front%20Door%2C%20incorporating%20an%20Azure%20Web%20Application%20Firewall%20(WAF)%2C%20which%20works%20fine%20so%20far.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20issue%20is%20that%20I%20can't%20see%20how%20I'm%20supposed%20to%20stop%20internet%20traffic%20connecting%20directly%20to%20my%20internet-facing%20NGINX%20proxy.%20Without%20putting%20restrictions%20in%20place%20(I'm%20not%20sure%20what%20these%20would%20be)%2C%20there's%20no%20reason%20for%20anyone%20to%20access%20the%20server%20via%20AFD%20as%20they%20could%20just%20go%20straight%20to%20the%20server.%20This%20completely%20defeats%20the%20purpose%20of%20AFD%20%2B%20WAF%20(apart%20from%20load%20balancing%2C%20etc.%20features%20which%20I'm%20not%20using).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20worked%20this%20out%3F%20It%20doesn't%20appear%20as%20though%20Microsoft%20has%20thought%20this%20through%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EJosh%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F152158i0C005541292EAF35%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-967278%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EFront%20Door%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWAF%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016061%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20a%20VM-based%20web%20server%20sitting%20behind%20Azure%20Front%20Door%20%2B%20WAF%20from%20the%20internet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016061%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F436902%22%20target%3D%22_blank%22%3E%40JRSSA%3C%2FA%3E%26nbsp%3Bwhat%20you%20could%20do%20to%20prevent%20connections%20directly%20to%20your%20VM%20is%20using%20NSGs.%20You%20could%20prevent%20specifically%20traffic%20from%20Internet%20(using%20NSG%20Service%20Tags)%20and%20then%20creating%20another%20rule%20(with%20higher%20priority)%20to%20accept%20connections%20from%20Azure%20Front%20Door.%20You%20can%20find%20IP%20addresses%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-faq%23how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-faq%23how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20you%20find%20this%20useful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

Hi All

I have a web server that's running on a VM inside Azure. The server is exposed to the internet through an NGINX reverse proxy and a public IP address.

 

For added security, I've set up an Azure Front Door, incorporating an Azure Web Application Firewall (WAF), which works fine so far.

 

My issue is that I can't see how I'm supposed to stop internet traffic connecting directly to my internet-facing NGINX proxy. Without putting restrictions in place (I'm not sure what these would be), there's no reason for anyone to access the server via AFD as they could just go straight to the server. This completely defeats the purpose of AFD + WAF (apart from load balancing, etc. features which I'm not using).

 

Has anyone worked this out? It doesn't appear as though Microsoft has thought this through???

 

Cheers,

Josh

 

clipboard_image_0.png

1 Reply
Highlighted

@JRSSA what you could do to prevent connections directly to your VM is using NSGs. You could prevent specifically traffic from Internet (using NSG Service Tags) and then creating another rule (with higher priority) to accept connections from Azure Front Door. You can find IP addresses here: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-...

 

Hope you find this useful.

 

Cheers