{"id":21690,"date":"2019-11-07T21:13:31","date_gmt":"2019-11-07T21:13:31","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=21690"},"modified":"2019-11-07T21:14:13","modified_gmt":"2019-11-07T21:14:13","slug":"microsoft-ignite-2019-deliver-highly-available-secure-web-application-gateway-and-web-application-firewall","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=21690","title":{"rendered":"Microsoft Ignite 2019 \u2013 Deliver Highly Available Secure Web Application Gateway and Web Application Firewall"},"content":{"rendered":"<p>Speaker:<\/p>\n<ul>\n<li>Amit Srivastava, Principal Program Manager, Microsoft<\/li>\n<\/ul>\n<h2>Mission Critical HTTP Applications<\/h2>\n<ul>\n<li>Always On<\/li>\n<li>Secure<\/li>\n<li>Scalable<\/li>\n<li>Telemetry<\/li>\n<li>Polygot \u2013 variety of backed, IaaS, PaaS, on-prem<\/li>\n<\/ul>\n<p>Many things to think about.<\/p>\n<h2>What Azure Pieces Can We Use?<\/h2>\n<ul>\n<li>WAG<\/li>\n<li>AFD<\/li>\n<li>CDN<\/li>\n<li>WAF<\/li>\n<li>Azure Load Balancer<\/li>\n<li>Azure Traffic Manager<\/li>\n<\/ul>\n<h2>WAG<\/h2>\n<p>Regional ADS as a service. A full reverse proxy. It terminates the incoming connection and creates a new one to the web server.<\/p>\n<ul>\n<li>Platform managed: built-in HA and sclability<\/li>\n<li>Layer 7 load balancing: URL path, host based, round robin, session affinity, redirection<\/li>\n<li>Security and SSL management: WAF, SSL Offload, SSL re-encryption, SSL policy<\/li>\n<li>Public or ILB: Public internet, internal or both.<\/li>\n<li>Flexible backends: VMs, VMSS, AKS, public IP, cloud services, ALB\/ILB, On-premises<\/li>\n<li>Rich diagnostics: Azure monitor, log analytics, network watcher, RHC, more<\/li>\n<\/ul>\n<h2>Standard v2 SKU in GA<\/h2>\n<ul>\n<li>Available in 26 regions<\/li>\n<li>Built-in zone redundancy<\/li>\n<li>Static VIP<\/li>\n<li>HTTP header\/cookies insertion\/modification<\/li>\n<li>Increased scale limits 20 -&gt; 100 listeners<\/li>\n<li>Key vault integration and autorenewal of SSL certs (GA)<\/li>\n<li>AKS ingress controller (GA)<\/li>\n<\/ul>\n<p>Autoscaling and performance improvements:<\/p>\n<ul>\n<li>Grow and shrink based on app traffic requirements<\/li>\n<li>5 x better SSL offloads performance\n<ul>\n<li>500-50,000 connections\/sec with RSA 2048 bit certs<\/li>\n<li>30,000, 3,000,000 persistent connections<\/li>\n<li>2,500 \u2013 250,0000 HTTP req\/sec<\/li>\n<\/ul>\n<\/li>\n<li>75% reduction in provisioning time ~5mins<\/li>\n<\/ul>\n<h2>Key Vault Integration in v2 GA<\/h2>\n<ul>\n<li>Front end TLS cert integrated with Azure Key Vault<\/li>\n<li>Utilizes user-assigned management identity for access control on key vault<\/li>\n<li>Use certificate or secrets on Key Vault<\/li>\n<li>Pools every 4 hours to enable automatic cert renewal \u2013 you can force a poll if you need to<\/li>\n<li>Manual override or specific certificate version retrieval<\/li>\n<\/ul>\n<h2>WAG v2 Header Rewrites<\/h2>\n<ul>\n<li>Manipulate request and response headers and cookies\n<ul>\n<li>Strip port from x-forwarded-for header<\/li>\n<li>Add security headers like HSTS and X-XSS-Protection<\/li>\n<li>Common header manipulation ex: HOST, SERVER<\/li>\n<\/ul>\n<\/li>\n<li>Conditional header rewrites \u2026 something<\/li>\n<\/ul>\n<h2>Ingress Controller<\/h2>\n<ul>\n<li>Ingress controller for 1+ AKS clusters at one time<\/li>\n<li>Deployed using HELM \u2013 newer easier options by EOY<\/li>\n<li>Utilized pod-AAD for ARM authentication<\/li>\n<li>Tighter integration with AKS add-on support upcoming<\/li>\n<li>Supports URI-path based, host based, SSL termination, SSL re-encryption, redirection, custom health probes, draining, cookie affinity.<\/li>\n<li>Support for Let\u2019s Encrypt provided TLS certs<\/li>\n<li>WAF fully supported with custom listener policies<\/li>\n<li>Support for multiple AKS as backend<\/li>\n<li>Support for mixed mode- both AKS and other backend types on the same application gateway.<\/li>\n<\/ul>\n<p><a href=\"http:\/\/aka.ms\/appgawks\">http:\/\/aka.ms\/appgawks<\/a><\/p>\n<h2>Application Gateway Wildcard Listener<\/h2>\n<ul>\n<li>Managed preview<\/li>\n<li>Support for wildcard characters in listener host name<\/li>\n<li>Supports * and ? characters in host name<\/li>\n<li>Associate wildcard or SAN certs to serve HTTPS<\/li>\n<\/ul>\n<h2>Telemetry Enhancements<\/h2>\n<ul>\n<li>GA<\/li>\n<li>Diagnostics Log Enhancements\n<ul>\n<li>TLS protocol version, cipher spec selected.<\/li>\n<li>Backend target server, response code, latency.<\/li>\n<\/ul>\n<\/li>\n<li>Metrics Enahncements\n<ul>\n<li>Backend response status code<\/li>\n<li>RPS\/healthy node<\/li>\n<li>End-to-end latency<\/li>\n<li>Backend latency<\/li>\n<li>Backend connect, first byte, and last byte latency.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Azure Monitor Insights for Application Gateway<\/h2>\n<ul>\n<li>Public Preview<\/li>\n<li>Sign health and metric console for your entire cloud network#<\/li>\n<li>No agent\/configuration required<\/li>\n<li>Visualize the structure and functional dependencies<\/li>\n<li>More<\/li>\n<\/ul>\n<h2>AKS Demo<\/h2>\n<p>He loads a Helm YAML config to the AKS cluster. Now the AKS cluster can configure listers, backend pools, rules, etc for the containers\/services running on the cluster. Pretty cool.<\/p>\n<h2>Azure WAF<\/h2>\n<p>Cloud native WAF<\/p>\n<ul>\n<li>Unified WAF offering\n<ul>\n<li>Protect your apps at network edge or in region uniformly<\/li>\n<\/ul>\n<\/li>\n<li>Public preview:\n<ul>\n<li>Microsoft threat intelligence\n<ul>\n<li>Protect apps against automated attacks<\/li>\n<li>Manage good\/bad bots with Azure BotManager RuleSet<\/li>\n<\/ul>\n<\/li>\n<li>Site and URI pathc specific WAF policies\n<ul>\n<li>Customise WAF policies at regional WAF for finer grained protection at each host\/listener or URI path level<\/li>\n<\/ul>\n<\/li>\n<li>Geo-filtering on regional WAF<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>WAF<\/h2>\n<ul>\n<li>HA, scalable fully platform managed<\/li>\n<li>Auto-scaling support<\/li>\n<li>New RuleSet CRS 3.1 added, will soon be the default<\/li>\n<li>Integration with Azure Sentinel SIEM<\/li>\n<li>Performance and concurrency enhancements<\/li>\n<li>More<\/li>\n<\/ul>\n<h2>WAF Policy Enhancements<\/h2>\n<ul>\n<li>Assign different policies to different sites behind the same WAF<\/li>\n<li>Increased configurability<\/li>\n<li>Per-URI policy<\/li>\n<\/ul>\n<h2>Geo Filtering Public Preview<\/h2>\n<ul>\n<li>Block, allow, log countries.<\/li>\n<li>Easily configurable in WAF policy<\/li>\n<li>Geo data refreshed weekly<\/li>\n<\/ul>\n<p>Only in special Portal URI at the moment \u2013 normal Azure Portal soon.<\/p>\n<h2>Bot Protection (Public Preview)<\/h2>\n<ul>\n<li>Stuff<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Speaker: Amit Srivastava, Principal Program Manager, Microsoft Mission Critical HTTP Applications Always On Secure Scalable Telemetry Polygot \u2013 variety of backed, IaaS, PaaS, on-prem Many things to think about. What Azure Pieces Can We Use? WAG AFD CDN WAF Azure Load Balancer Azure Traffic Manager WAG Regional ADS as a service. A full reverse proxy. &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=21690\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Microsoft Ignite 2019 \u2013 Deliver Highly Available Secure Web Application Gateway and Web Application Firewall&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":18458,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[413,170,412,411,80,190,318,340,317,342],"class_list":["post-21690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-aks","tag-azure","tag-azure-kubernetes-service","tag-key-vault","tag-networking","tag-security","tag-waf","tag-wafv2","tag-wag","tag-wagv2"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2015\/06\/15856883949_20117b0a70_z.jpg","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21690"}],"version-history":[{"count":2,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21690\/revisions"}],"predecessor-version":[{"id":21692,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21690\/revisions\/21692"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/18458"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}