为应用服务环境配置 Web 应用程序防火墙 (WAF)Configuring a Web Application Firewall (WAF) for App Service Environment

概述Overview

Web 应用程序防火墙 (WAF) 会检查入站 Web 流量,并阻止 SQL 注入、跨站点脚本、恶意软件上传和应用程序 DDoS 及其他攻击,有助于保护 Web 应用程序的安全。Web application firewalls (WAF) help secure your web applications by inspecting inbound web traffic to block SQL injections, Cross-Site Scripting, malware uploads & application DDoS and other attacks. 为了进行数据丢失防护 (DLP),该防火墙还会检查后端 Web 服务器的响应。They also inspect the responses from the back-end web servers for Data Loss Prevention (DLP). 与隔离功能以及应用服务环境提供的附加缩放相结合,它可以提供一个理想的环境,用于托管需要承受恶意请求和大量流量的业务关键型 Web 应用程序。Combined with the isolation and additional scaling provided by App Service Environments, this provides an ideal environment to host business critical web applications that need to withstand malicious requests and high volume traffic. Azure 通过应用程序网关提供 WAF 功能。Azure provides a WAF capability with the Application Gateway. 若要了解如何将应用服务环境与应用程序网关集成,请阅读将 ILB ASE 与应用程序网关集成文档。To see how to integrate your App Service Environment with an Application Gateway read the Integrate your ILB ASE with an Application Gateway document.

除了 Azure 应用程序网关,还有多个市场选项,例如 Barracuda WAF for Azure,在 Azure 市场中提供。In addition to the Azure Application Gateway, there are multiple marketplace options like the Barracuda WAF for Azure that are available on the Azure Marketplace. 本文档其余部分重点介绍如何将应用服务环境与 Barracuda WAF 设备集成。The rest of this document focuses on how to integrate your App Service Environment with a Barracuda WAF device.

备注

尽管本文中指的是 Web 应用,但内容同样适用于 API 应用和移动应用。Although this article refers to web apps, it also applies to API apps and mobile apps.

设置Setup

在本文中,我们配置受多个 Barracuda WAF 负载均衡实例保护的应用服务环境,只让来自 WAF 的流量到达该应用服务环境,而且无法从 DMZ 访问该环境。For this document, we configure the App Service Environment behind multiple load balanced instances of Barracuda WAF so that only traffic from the WAF can reach the App Service Environment and it is not accessible from the DMZ. 在 Barracuda WAF 实例的前面,我们还部署了 Azure 流量管理器,用于在 Azure 数据中心和区域实现负载均衡。We also have Azure Traffic Manager in front of the Barracuda WAF instances to load balance across Azure data centers and regions. 高级设置示意图如下所示:A high-level diagram of the setup would look like the following image:

图显示了可选 Azure 流量管理器连接到 Web 应用程序防火墙实例,连接到网络 A C L,以只允许来自包含两个区域的 Web、A P I 和移动应用的应用服务环境中的防火墙的流量。

备注

通过引入对应用服务环境的 ILB支持,可以将 ASE 配置为不可从 DMZ 访问,而仅可供专用网络访问。With the introduction of ILB support for App Service Environment, you can configure the ASE to be inaccessible from the DMZ and only be available to the private network.

配置应用服务环境Configuring your App Service Environment

要配置应用服务环境,请参阅有关该主题的文档To configure an App Service Environment, refer to our documentation on the subject. 创建应用服务环境后,可在此环境中创建 Web 应用、API 应用和移动应用,下一部分中配置的 WAF 可保护所有这些应用。Once you have an App Service Environment created, you can create Web Apps, API Apps, and Mobile Apps in this environment that will all be protected behind the WAF we configure in the next section.

配置 Barracuda WAF 云服务Configuring your Barracuda WAF Cloud Service

Barracuda 提供了有关在 Azure 中的虚拟机上部署其 WAF 的详细文章Barracuda has a detailed article on deploying its WAF on a virtual machine in Azure. 但是,由于我们想要冗余,但不想要造成单一故障点,因此可以在遵循这些说明时,将至少两个 WAF 实例 VM 部署到相同的云服务中。But because we want redundancy and not introduce a single point of failure, you want to deploy at least two WAF instance VMs into the same Cloud Service when following these instructions.

将终结点添加云服务Adding Endpoints to Cloud Service

云服务中有两个以上的 WAF VM 实例之后,即可使用 Azure 门户添加应用程序使用的 HTTP 和 HTTPS 终结点,如下图所示:Once you have 2 or more WAF VM instances in your Cloud Service, you can use the Azure portal to add HTTP and HTTPS endpoints that are used by your application as shown in the following image:

配置终结点

如果应用程序使用其他终结点,则还要确保将其添加到此列表中。If your applications use other endpoints, make sure to add them to this list as well.

通过管理门户配置 Barracuda WAFConfiguring Barracuda WAF through its Management Portal

Barracuda WAF 使用 TCP 端口 8000 通过其管理门户进行配置。Barracuda WAF uses TCP Port 8000 for configuration through its management portal. 如果有多个 WAF VM 实例,则需要针对每个 VM 实例重复这些步骤。If you have multiple instances of the WAF VMs, you need to repeat the steps here for each VM instance.

备注

完成 WAF 配置后,从所有 WAF VM 中删除 TCP/8000 终结点,以保护 WAF 的安全。Once you are done with WAF configuration, remove the TCP/8000 endpoint from all your WAF VMs to keep your WAF secure.

请按下图所示添加管理终结点,以配置 Barracuda WAF。Add the management endpoint as shown in the following image to configure your Barracuda WAF.

添加管理终结点

使用浏览器浏览到云服务上的管理终结点。Use a browser to browse to the management endpoint on your Cloud Service. 如果云服务名称为 test.cloudapp.cn,则浏览到 http://test.cloudapp.cn:8000 即可访问此终结点。If your Cloud Service is called test.cloudapp.cn, you would access this endpoint by browsing to http://test.cloudapp.cn:8000. 应会看到与下图类似的登录页,在此页上,可以使用在 WAF VM 设置阶段指定的凭据登录。You should see a login page like the following image that you can log in using credentials you specified in the WAF VM setup phase.

管理登录页

登录后,应会看到与下图类似的仪表板,其中显示了有关 WAF 保护的基本统计信息。Once you log in, you should see a dashboard like the one in the following image that presents basic statistics about the WAF protection.

管理仪表板

单击“服务”选项卡可以根据 WAF 保护的服务配置 WAF。Clicking on the Services tab lets you configure your WAF for services it is protecting. 有关配置 Barracuda WAF 的详细信息,请参阅相关文档For more details on configuring your Barracuda WAF, see their documentation. 在以下示例中,已配置处理 HTTP 和 HTTPS 流量的应用服务应用。In the following example, an App Service app serving traffic on HTTP and HTTPS has been configured.

管理添加服务

备注

根据应用程序的配置方式与应用服务环境中正在使用的功能,需要转发非 80 和 443 TCP 端口的流量(例如,如果为应用服务应用设置了 IP TLS)。Depending on how your applications are configured and what features are being used in your App Service Environment, you need to forward traffic for TCP ports other than 80 and 443, for example, if you have IP TLS setup for an App Service app.

配置 Microsoft Azure 流量管理器(可选)Configuring Microsoft Azure Traffic Manager (OPTIONAL)

如果多个区域中都有应用程序,则可以使用 Azure 流量管理器对这些区域进行负载均衡。If your application is available in multiple regions, then you would want to load balance them behind Azure Traffic Manager. 为此,可以使用流量管理器配置文件中 WAF 的云服务名称在 Azure 门户中添加终结点,如下图所示。To do so, you can add an endpoint in the Azure portal using the Cloud Service name for your WAF in the Traffic Manager profile as shown in the following image.

流量管理器终结点

如果应用程序需要身份验证,请确保有某个资源不需要任何身份验证,使流量管理器能够 ping 出应用程序的可用性。If your application requires authentication, ensure you have some resource that doesn't require any authentication for Traffic Manager to ping for the availability of your application. 可以在 Azure 门户的“配置”页上配置 URL,如下图所示:You can configure the URL on the Configuration page in the Azure portal as shown in the following image:

配置流量管理器

要将流量管理器 ping 从 WAF 转发给应用程序,需要在 Barracuda WAF 上设置网站转换,以将流量转发给应用程序,如以下示例所示:To forward the Traffic Manager pings from your WAF to your application, you need to set up Website Translations on your Barracuda WAF to forward traffic to your application as shown in the following example:

网站转换

使用网络安全组 (NSG) 保护发往应用服务环境的流量Securing Traffic to App Service Environment Using Network Security Groups (NSG)

以下是针对 TCP 端口 80 运行此任务的示例 Powershell 命令。Here's a sample Powershell command for performing this task for TCP port 80.

Get-AzureNetworkSecurityGroup -Name "RestrictChinaEastAppAccess" | Set-AzureNetworkSecurityRule -Name "ALLOW HTTP Barracuda" -Type Inbound -Priority 201 -Action Allow -SourceAddressPrefix '191.0.0.1'  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '80' -Protocol TCP

将 SourceAddressPrefix 替换为 WAF 云服务的虚拟 IP 地址 (VIP)。Replace the SourceAddressPrefix with the Virtual IP Address (VIP) of your WAF's Cloud Service.

备注

删除并重新创建云服务后,云服务的 VIP 会发生更改。The VIP of your Cloud Service changes when you delete and re-create the Cloud Service. 在这样做之后,请务必更新网络资源组中的 IP 地址。Make sure to update the IP address in the Network Resource group once you do so.