Azure Application Gateway is a Layer 7 load balancer with only basic functionality and security, but at a third of the price of even the cheapest version of F5’s BIG-IP, it can be a very attractive option to secure web applications in Azure. For organizations looking to reduce costs, how should you decide if Azure Application Gateway will meet your needs? The answers to a few key questions can help you make that decision:
Do you need your app gateway to manipulate your host headers?
Azure Application Gateway doesn’t support host header manipulation. The gateway does provide x-forwarded-for, x-forwarded-proto, and x-forwarded-port information in the host headers.
Do you need to route traffic based on information in your host headers?
Azure Application Gateway only supports URL and Path based routing controls.
Does your application use a protocol other than HTTP, HTTPS, or WebSockets?
These are the only protocols supported by the Application Gateway.
Do you need advanced or highly customized security controls for your web application firewall?
The Web Application Firewall (WAF) rules on the Application Gateway are based on the OWASP core rule sets. You can turn on or off any particular rule for a gateway in Prevention mode, but that is as granular as you can get. That said these rules do provide a good defense against common attack vectors.
Do you require Distributed Denial of Service(DDoS) protection?
While the WAF rules do protect against Denial of Service attacks from single end points, it does not currently protect against DDoS attacks.
Do you require a static IP address for your Application Gateway?
If your situation requires that you route traffic to an IP address rather than a DNS name, Azure Application Gateway may not be the right fit. Gateways are given a pubic IP when they are started, but when/if they are stopped they lose that IP address. If you don’t stop the Gateway you will keep the same IP. Note: Gateways do get a static DNS name made up of the GUID of the Gateway and an Azure domain, which can be provided as a CNAME for any custom domain you wish to use.
it’s always changing
These don’t cover all the possible reasons to choose Azure Application Gateway over a more robust solution, but as anyone working in the cloud world can tell you, it will be different in six months. For example, the WAF features of the Application Gateway were just made generally available on March 30, 2017. Stay tuned for more features and updates.
Need help deciding if Azure Application Gateway is right for your application? Have other questions about security in the cloud? Credera has extensive experience in cloud infrastructure design and implementation. We would love to discuss potential cloud and infrastructure solutions with you—contact us at firstname.lastname@example.org.