Deploying F5’s Web Application Firewall in Microsoft Azure Security Center
Use F5’s Web Application Firewall (WAF) to protect web applications deployed in Microsoft Azure.
Applications living in the Cloud still need protection. Data breaches, compromised credentials, system vulnerabilities, DDoS attacks and shared resources can all pose a threat to your cloud infrastructure. The Verizon DBIR notes that web application attacks are the most likely vector for a data breach attack. While attacks on web applications account for only 8% of reported incidents, according to Verizon, they are responsible for over 40% of incidents that result in a data breach. A 2015 survey found that 15% of logins for business apps used by organizations had been breached by hackers.
One way to stay safe is using a Web Application Firewall (WAF) for your cloud deployments.
Let’s dig in on how to use F5’s WAF to protect web applications deployed in Microsoft Azure. This solution builds on BIG-IP Application Security Manager (ASM) and BIG-IP Local Traffic Manager (LTM) technologies as a preconfigured virtual service within the Azure Security Center.
Some requirements for this deployment are:
- You have an existing web application deployed in Azure that you want to protect with BIG-IP ASM
- You have an F5 license token for each instance of BIG-IP ASM you want to use
To get started, log into your Azure dashboard and on the left pane, toward the bottom, you’ll see Security Center and click it.
Next, you’ll want to click the Recommendations area within the Security Center Overview.
And from the list of recommendations, click Add a web application firewall.
A list of available web applications opens in a new pane. From the application list, select the application you want to secure.
And from there click Create New. You’ll get a list of available vendors’ WAFs and choose F5 Networks.
A new page with helpful links and information appears and at the bottom of the page, click Create.
First, select the number of machines you want to deploy – in this case we’re deploying two machines for redundancy and high availability. Review the host entry and then type a unique password for that field. When you click Pricing Tier, you can get info about sizing and pricing. When you are satisfied, at the bottom of that pane click OK.
Next, in the License token field, copy and paste your F5 license token. If you are only deploying one machine, you’ll only see one field. For the Security Blocking Level, you can choose Low, Medium or High. You can also click the icon for a brief description of each level. From the Application Type drop down, select the type of application you want to protect and click OK (at the bottom of that pane).
Once you see two check marks, click the Create button.
Azure then begins the process of the F5 WAF for your application. This process can take up to an hour. Click the little bell notification icon for the status of the deployment.
You’ll receive another notification when the deployment is complete.
After the WAF is successfully deployed, you’ll want to test the new F5 WAF and finalize the setup in Azure including changing the DNS records from the current server IP to the IP of the WAF.
When ready, click Security Center again and the Recommendations panel. This time we’ll click Finalize web application firewall setup.
And click your Web application.
Ensure your DNS settings are correct and check the I updated my DNS Settings box and when ready, click Restrict Traffic at the bottom of the pane.
Azure will give you a notification that it is finalizing the WAF configuration and settings, and you will get another notification when complete.
And when it is complete, your application will be secured with F5’s Web Application Firewall.
Check out the demo video and rest easy, my friend.
ps
Related:
- tbyerly_229301Historic F5 Account
Great article Peter. If someone has any Azure web applications exposed to the Internet they would be remiss not to have a web application firewall. I'm sharing.