Skip to content

Aidan Finn, IT Pro

A blog covering Azure, Hyper-V, Windows Server, desktop, systems management, deployment, and so on …

  • Blog
  • Events
  • Azure Newsletter
  • Azure Training
  • About Aidan Finn
  • Privacy
  • RSS

Tag: Static Website

Securing A Storage Account Static Website Using VNet Web Application Firewall

Securing A Storage Account Static Website Using VNet Web Application Firewall

Alternative title: Using the Azure Application Gateway to do content redirection with a storage account static website in a secure way.

I was looking at a scenario where I needed to find a platform method of setting up a website that would:

  • Be cost-effective
  • Be able to easily receive content directly from Azure virtual machines
  • Be secure

This post will describe the solution.

The Storage Account

A resilient storage account is set up with a static website. The content can be uploaded to the $web container. The firewall is enabled and only traffic from the virtual machine subnet and an Azure Application Gateway or Web Application Firewall subnet is allowed. This means that you get a 404 error when you try to access the website from any other address space.

The WAF

A WAFv2 is set up. The WAF subnet is protected by an NSG. The WAF is controlled by a WAF policy. And certificates for custom domains are stored in a Key Vault – the WAF uses a user-managed identity to get Get/List rights to secrets/certificates in the Key Vault’s access policy. A multi-site HTTPS Listener is set up for the static website using a custom domain name:

  • The HTTP setting will handle the name translation from the custom domain name to the default storage account URI.
  • The Key Vault will store the certificate for the custom domain name.
  • There is full end-to-end encryption thanks to the storage account using a Microsoft-supplied certificate for the default storage account URI.

The HTTP setting in the WAF will be set up as follows:

  • HTTPS
  • Use Well-Known CA Certificate (Yes)
  • Override with a new hostname: the default URI of the static website

Solution 1 – Service Endpoint

In this case, the WAF subnet has a Microsoft.Storage service endpoint enabled. This will mean that traffic from the WAF to the storage account hosting the static website will fall through a routing “trap door” across the Azure private backbone to reach the storage account. This keeps the traffic relatively private and reduces latency.

The backend pool of the WAF is the FQDN of the static website.

Pros:

  • Easy to set up.

Cons:

  • Service Endpoints appear to be a dead-end technology
  • It will require the Microsoft.Storage Service Endpoint to be configured in every subnet that needs to interact with the website/storage account.

Solution 2 – Private Link/Private Endpoint

In this design, Service Endpoint is dropped and replaced with a Private Endpoint associated with the Web API of the storage account. This Private Endpoint can be in the same VNet as the WAF or even a different (peered) VNet to the WAF.

The only change to the WAF configuration is that the backend pool must now be the private IP address of the Private Endpoint. Now traffic will route from the WAF subnet to the storage account subnet, even across peering connections.

Pros:

  • Private Link/Private Endpoint is the future for this kind of connectivity.
  • There is no need to configure subnets with anything – they just need to route to the storage account (to modify content) or the WAF (access content).

Cons:

  • A little more complex to set up, but the effort is returned in the long-run with less configuration required.

There is no support for inbound NSG rules for the Private Endpoint but:

  • That is coming in the future
  • The storage account firewall is rejecting unwanted direct traffic
  • The NSG in front of the WAF provides Layer-4 security and the WAF provides Layer-7 security

Want to Learn More?

Why not join me for an ONLINE 1-day training course on securing Azure IaaS and PaaS services. Securing Azure Services & Data Through Azure Networking is my newest Azure training course, designed to give Level 400 training to those who have been using Azure for a while. It dives deep on topics that most people misunderstand and covers many topics similar to the above content.

 

 

Author AFinnPosted on June 15, 2020June 15, 2020Categories AzureTags Azure, Networking, Private Endpoint, Private Link, Security, Static Website, Storage Account, Web Application Firewall, Web Application Firewall v2, Web Application Gateway, Web Application Gateway v22 Comments on Securing A Storage Account Static Website Using VNet Web Application Firewall
RSS
Facebook
Facebook
fb-share-icon
Twitter
Visit Us
Follow Me
LinkedIn
LinkedIn
Share

Tags

  • 1709
  • Access Restrictions
  • ACT
  • Action
  • Active Directory
  • Activity Log
  • Advanced Threat Protection
  • AKS
  • Alerts
  • AMD
  • Analytic Rules
  • App Controller
  • Apple
  • Appliance
  • Application Firewall
  • Application Gateway
  • App Services
  • Architecture
  • Archive
  • ARM
  • ARM Template
  • ASM
  • ASR
  • Automation
  • Availability Sets
  • Availability Zones
  • Azure
  • Azure AD
  • Azure AD Connect
  • Azure AD Domain Services
  • Azure Automation
  • Azure Backup
  • Azure Backup Server
  • Azure Bastion
  • Azure DevOps
  • Azure DNS
  • Azure Files
  • Azure File Sync
  • Azure Firewall
  • Azure Firewall Manager
  • Azure Firewall Policy
  • Azure IaaS
  • Azure Image Builder
  • Azure Kubernetes Service
  • Azure Lighthouse
  • Azure Migrate
  • Azure Monitor
  • Azure Monitor Logs
  • Azure PaaS
  • Azure Policy
  • Azure Portal
  • Azure Resource Graph
  • Azure Resource Manager
  • Azure Security Center
  • Azure Sentinel
  • Azure Shared Image Gallery
  • Azure Site Recovery
  • Azure Stack
  • Azure Virtual Desktop
  • Azure Virtual WAN
  • Azure WAN
  • B-Series
  • Backup
  • Barracuda
  • Basic
  • Bastion Host
  • BGP
  • Bicep
  • BitLocker
  • Blob
  • Books
  • Boot Diagnostics
  • Business Intelligence
  • Certificate
  • Certification
  • Check Point
  • Circuit
  • Cisco
  • Citrix
  • Cloud
  • Cloud Adoption Framework
  • Cloud Camp
  • Cloud Computing
  • Cloud Mechanix
  • Cold
  • Compliance
  • Conference
  • Conferences
  • ConfigMgr
  • Configuration Manager
  • Connect
  • Connection
  • Containers
  • Course
  • Custom RBAC Roles
  • Custom Resource Provider
  • Custom Routing
  • Das_v3
  • Data Warehouse
  • Default Route
  • Delegated Resource Management
  • Delegation
  • Deployment
  • DevOps
  • DevSecOps
  • DevTest Labs
  • Diagnostics
  • Dig Data
  • DMZ Hub
  • DNS
  • DPM
  • DR
  • DSC
  • Dublin
  • Eas_v3
  • EMS
  • Entity Behavior
  • EPYC
  • Evens
  • Event
  • Event Hub
  • Event Notes
  • Events
  • Exchange
  • Exchange 2010
  • ExpressRoute
  • ExpressRoute Gateway
  • Failover Clustering
  • Featured
  • Firewall
  • Forefront
  • Function App
  • Functions
  • GA
  • Gateway
  • GatewaySubnet
  • General Purpose v2 Storage Account
  • Geo-Zone Redundant Storage
  • Git
  • GitHub
  • Global Azure
  • Global Azure Bootcamp
  • Global VNet Peering
  • Governance
  • GPv2
  • GZRS
  • Hardware
  • HB_v2
  • HCI
  • HDInsight
  • Health Monitoring
  • Hot
  • HP
  • Hub
  • Hub & Spoke
  • Hub-and-spoke
  • Hybrid Cloud
  • Hyper-Converged Infrastructure
  • Hyper-V
  • Hyper-V Server
  • IaaS
  • IaC
  • I am live blogging this session
  • IDPS
  • IE
  • Ignite
  • IIS
  • Image Builder
  • Image Definition
  • Image Template
  • Image Version
  • Infrastructure-as-Code
  • Intel NUC
  • Internet
  • Internet Explorer
  • Intune
  • IoT
  • IoT Hub
  • iPhone
  • it’s lovely and cool in this room Smile
  • JSON
  • Jumpbox
  • Jump box
  • Key Vault
  • Kubernetes
  • Layer-7
  • Licensing
  • Lighthouse
  • Linux
  • Live
  • Live Migration
  • Load Balancer
  • Load Balancing
  • Log Analytics
  • Lync
  • MABS
  • Machine Learning
  • Managed Apps
  • Managed Disks
  • Managed Service Prover
  • MAP
  • MARS
  • MDT
  • Metasploit
  • Microservices
  • Microsoft
  • Microsoft. Hyper-V
  • Microsoft. MDT
  • Microsoft 365
  • Microsoft Ignite 2019
  • Microsoft Information Protection
  • Microsoft Multipath I/O (MPIO) Users Guide for Windows Server 2012
  • Microsoft News
  • Migration
  • Mobile
  • MVP
  • MVPBuzz
  • Nano Server
  • NAT
  • Network
  • Networking
  • Network Security Group
  • Network Security Groups
  • Network Virtual Appliance
  • Network Watcher
  • News
  • NSG
  • NSG Flow Logging
  • NSG Traffic Analytics
  • NVA
  • O365
  • Office
  • Office 365
  • Opalis
  • Operations Manager
  • OpsMgr
  • Orchestrator
  • P2S
  • P2S Server Configuration
  • PaaS
  • Packer
  • Palo Alto
  • Peering
  • Performance
  • PIP
  • Pipeline
  • Planned Maintenance
  • Platform-as-a-Service
  • Podcasts
  • Point-to-Site Gateway
  • Point-to-Site VPN
  • PowerShell
  • Pricing
  • Private Cloud
  • Private DNS Zone
  • Private Endpoint
  • Private Link
  • Private Peering
  • Probe
  • Project Honolulu
  • ProLiant
  • Public IP Address
  • Public IP Prefix
  • Quick Storage Migration
  • RA-GZRS
  • RBAC
  • RDmi
  • RDP
  • RDS
  • RDS Gateway
  • Read-Access Geo-Zone Redundant Storage
  • Redundancy
  • Regional VNet Integration
  • Regions
  • Remote Desktop
  • Remote Desktop Services
  • Resizing
  • Resource Manager
  • Resources
  • REST API
  • Route Propagation
  • Route Table
  • Route Tables
  • Routing
  • RTM
  • Rules Collection Group
  • S2D
  • S2S VPN
  • Satya Nadella
  • Scale-Out File Server
  • SCORCH
  • Scripting
  • Scripts
  • SCVMM
  • SD-WAN
  • Secured Virtual Hub
  • Secure Virtual Hub
  • Security
  • Security Center
  • Series
  • Serveless
  • Server Core
  • Serverless
  • Service Catalog
  • Service Endpoint
  • Service Fabric
  • Service Level Agreement
  • Service Manager
  • Service Provider
  • Service Tags
  • SharePoint
  • Site-to-Site VPN
  • SLA
  • SMA
  • so hit refresh to get the latest. BTW
  • Spoke
  • Springboard
  • SQL
  • SQL 2005
  • SQL 2008
  • SQL Server
  • SSH
  • SSL
  • SSL Gateway
  • Standard Public IP
  • Standard SSD
  • Starting Azure Infrastructure
  • Static Website
  • STEP
  • Storage
  • Storage Account
  • Storage Accounts
  • Storage Replica
  • Storage Spaces
  • Storage Spaces Direct
  • Stream Analytics
  • Subnet
  • Subscription
  • Surface
  • Surface Pro
  • System Center
  • System Center Essentials
  • System Route
  • Tablet
  • Template
  • Tenant
  • Terraform
  • Tiering
  • Traffic Manager
  • Training
  • Ubuntu
  • UDR
  • Uptime
  • User-Defined Route
  • User-Defined Routing
  • VDI
  • Virtual Hub
  • Virtual Hub Route Table
  • Virtualisation
  • Virtual Machine
  • Virtual Machines
  • Virtual Machine Scale Set
  • Virtual Network
  • Virtual Network Gateway
  • Virtual WAN
  • Virtual WAN Hub
  • Virtual WAN Hub Route Table
  • Virtual WAN Route Table
  • Visual Studio Code
  • VMM
  • VMs
  • VMware
  • VNet
  • VNet Peering
  • VPN
  • VPN Gateway
  • VS Code
  • W2008
  • W2008R2
  • WAF
  • WAFv2
  • WAG
  • WAGv2
  • WAIK
  • WAN
  • WAP
  • WatchGuard
  • WDS
  • Web App
  • Web Application Firewall
  • Web Application Firewall v2
  • Web Application Gateway
  • Web Application Gateway v2
  • WebApps
  • Webinar
  • Windows
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 2000
  • Windows Azure
  • Windows Azure Pack
  • Windows Defender
  • Windows Home Server
  • Windows Phone
  • Windows Server
  • Windows Server. Windows Server 2016
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2015
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server Containers
  • Windows Sever 2016
  • Windows Updates
  • Windows User Group
  • Windows Virtual Desktop
  • Windows Vista
  • Windows XP
  • WordPress
  • Workbooks
  • Workspace
  • WS2019
  • WSUS
  • Xen
  • Xeon
  • Zone Redundant Storage
  • ZRS
  • Blog
  • Events
  • Azure Newsletter
  • Azure Training
  • About Aidan Finn
  • Privacy
  • RSS
Aidan Finn, IT Pro Privacy