Shulou(Shulou.com)06/01 Report--

Website is a way of information exchange that we may use every day, such as browsing moments, official accounts, traffic pages, consulting news and so on. Website application has been a very common application of information technology. For large-scale website applications, protection means are essential. If they are put on the Internet without protection, they may be easily carried out by people with ulterior motives.

In this case, Azure has a special service for the protection of applications on our website, that is, the application gateway. First, let's take a look at how Azure defines an application gateway and a Web application firewall.

The Azure Application Gateway is a Web traffic load balancer that can be used to manage traffic for Web applications.

Traditional load balancers operate at the transport layer (OSI layer 4-TCP and UDP) and route traffic to destination IP addresses and ports based on source IP addresses and ports. However, more specific operations can be implemented when using the application gateway.

Web Application Firewall (WAF) is an application gateway function that centrally protects Web applications from common vulnerabilities and vulnerabilities. WAF is based on the rules in the core rule set 3.0 or 2.2.9 of OWASP (Open Web Application Security Project).

Web applications have gradually become the target of malicious attacks that exploit common known vulnerabilities. The most common of these * * include SQL injection * *, cross-site scripting * * and so on. Preventing this type of * * in application code is challenging and may require rigorous maintenance, patching, and monitoring at multiple layers of the application topology. Centralized Web application firewalls help greatly simplify security management and provide better protection for application administrators who resist threats or *. WAF solutions can also respond more quickly to security threats by patching known vulnerabilities in a central location than protecting each individual Web application. An existing application gateway can be easily converted to an application gateway that supports Web application firewalls.

See here we should have a basic concept of what is the application gateway and what is the Web application firewall. So how to judge that our website needs a firewall? Is it through the size of the website program, or through the performance level of the site or something? In fact, there is no strict standard, but to adapt to the actual situation. For example, if we take a look at the following website, we can see that the current application plan is already a high-level large website, with a CPU occupancy rate of 40-60% and an increasing memory footprint.

We need to pay extra attention to such sites, we can open the performance metrics of the Azure Web application for further metrics monitoring. It is suggested that the index of the application should be adjusted to 24 hours to 48 hours, so that we can understand the recent operation of the application macroscopically. Generally speaking, for website applications, we can choose the Request metric, which is mainly used to observe the access of website applications. The minimum interval of the metric is 1 minute, that is, we can see the maximum number of access requests per minute.

If you only look at the website application and find that the number of views and requests is not high, you can take a look at the corresponding database performance indicators of our website. The following is a more significant indicator of receipt. We can see that within 48 hours, the CPU occupancy rate of the database has reached 100% many times, and the CPU in the middle stage is almost fully loaded for a long time, which generally does not happen.

If performance metrics are found to be in the following states, there are generally two reasons: the first is due to normal high concurrency access. For example, during the peak period of buying tickets in 12306, this is a predictable high concurrency request, because everyone is refreshing the website to snap up train tickets, so at this time we must add more server resources. If the database index shows the peak, we need to increase the database resources, and Web applications need to increase the resources of the website server. The second reason is due to malicious requests from unknown users, such as a large number of server access requests, simulated access through software, simulated IP address, injection, XSS***, etc., so it is necessary to add an application gateway and WAF to the front end of the website application.

In Azure, application gateways are generally used with virtual machines and virtual machine scale sets, and virtual networks and virtual network gateways are needed for websites hosted by Web applications. The first step is to create a virtual network gateway

The main purpose of the virtual gateway is to connect the virtual network and the Web application, because the Web application and the virtual network itself are in two separate virtual networks. At the weekend of the process of creating a virtual network gateway, we select the gateway type as × × ×, SKU selects * Gw1, and configure a public network IP address for the virtual gateway.

Next, let's create an application gateway, which is also the highlight of today. Or on the home page, create a resource-network-Application Gateway

Since application gateways with WAF are only supported by medium-sized and above application gateways, be sure to select the WAF layer here, and then select at least medium-sized SKU. Of course, a medium-sized SKU can be upgraded from a small SKU, but it cannot be downgraded to a small SKU with WAF.

Then we add it to our virtual network, noting that the virtual network must be the same virtual network associated with the virtual network gateway we just created.

And the point-to-site configured IP address space for Vnet gateways must be in one of the following address blocks:

10.0.0.0swap 8-this refers to the IP address range from 10.0.0.0 to 10.255.255.255

172.16.0.0Universe 12-this refers to the IP address range from 172.16.0.0 to 172.31.255.255

192.168.0.0Compact 16-this refers to the IP address range from 192.168.0.0 to 192.168.255.255

In the created virtual network gateway, we find the point-to-site configuration and configure its address pool. Note that please cancel the IKEv2 tunnel type. This tunnel type cannot be selected in the mode of Web application with application gateway.

Then we go to the Web application, select the network to connect the Web application to the virtual network, and click VNet Integration on the right.

Select the virtual network with the virtual gateway we just created at the add VNet location.

You need to wait a moment at this time. If the IKev2 is not cancelled, an error will be reported. You need to pay attention here. If there is no problem, the configured VNet information, such as location, gateway status and certificate, will be displayed.

At this time, our application gateway should also have been created. We open the application gateway, find the Web application firewall, make sure it is turned on, and the firewall mode is changed to protection, so that WAF will automatically help us to block rather than just detect.

Then in the backend pool, we need to edit the backend pool, click the default backend pool, and the editing interface opens.

In the editing interface, we change the target to an application service and select the application instance we need to protect. Select Save when the operation is complete.

Then go to the HTTP settings, we need to configure the HTTP settings to ensure that the application gateway and our Web application are docked correctly. Click HTTP Settings and select the default HTTP Settings project.

In the settings, we select the one below for the application service. At this time, the custom probe will automatically fill in the content, and click Save.

Wait a moment until the configuration update for the application gateway is complete, and then return to the overview of WAF. We need to test whether the WAF is configured successfully and copy the front-end IP address of the application gateway.

Paste the address in the browser, how will our Web website be displayed if it is successful, and an error such as 502 Bad Gateway will be displayed if it is not successful.

Generally speaking, the firewall configuration of the website is very important. For Azure, adding an application gateway to the virtual machine or website application can effectively increase the security of the website application, and it is very necessary to reduce the security problems and the decline of user experience caused by unnecessary * *.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.