Azure-docs: WAF for Azure Functions
From this section I get the impression that WAF for Azure functions require a ASE or private endpoint:
https://docs.microsoft.com/en-us/azure/azure-functions/security-baseline#14-deny-communications-with-known-malicious-ip-addresses
However - from this section I get the impression that Service Endpoints could be used to deploy an App Gateway and a WAF in front of my function. Is that true?
https://docs.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 57afbd90-6c0b-601b-21f1-0b5accc2f0a7
- Version Independent ID: 18dcf259-c140-2386-8ef7-fd3ea7b1f2bd
- Content: Application Gateway integration with service endpoints - Azure App Service
- Content Source: articles/app-service/networking/app-gateway-with-service-endpoints.md
- Service: app-service
- GitHub Login: @madsd
- Microsoft Alias: madsd
AndreasLudviksen
All 7 comments
Hi @AndreasLudviksen. WAF can be deployed in front of Azure Functions both in ASE or multi-tenant. The difference is the way traffic is secured between WAF and the Function App. With (ILB) ASE the workers are deployed in your vNet and traffic must explicitly be allowed inbound from the internet (typically through a WAF). With multi-tenant you can use the built-in access restrictions in App Service to block all but traffic coming from WAF. This can be done with IP-filter, Service endpoint and Private endpoint.
madsd
on 21 Sep 2020
@madsd Thank you.
Please update this section then, since it is no longer correct:
Introduction of a WAF requires either an App Service Environment or use of Private Endpoints (Preview).
From here:
https://docs.microsoft.com/en-us/azure/azure-functions/security-baseline#14-deny-communications-with-known-malicious-ip-addresses
AndreasLudviksen
on 21 Sep 2020
@AndreasLudviksen through the lens of the Security Baseline it might be. The document you are referring to is the general security baseline and may have selected a subset of ways to communicate with WAF. With ASE and Private endpoint you have to explicitly route traffic through the WAF as all public traffic is default blocked. With the other options you have to actively block all other traffic not originating from WAF. This may fall short of the specific guidelines in security baseline.
madsd
on 21 Sep 2020
@AndreasLudviksen @souravmishra-msft You may want to ask for a change in the security baseline doc, or an explicit mention that there are other ways of connecting to WAF, but they are not validated according to security baseline - but the article on app gateway with service endpoints that I wrote is still correct and should not be modified.
madsd
on 21 Sep 2020
@AndreasLudviksen, We really appreciate you taking time to share your valuable feedback. As madsd mentioned, since the changes are not specific enhancement on this doc, we could close this issue out. If you wish, please raise a thread/feedback directly under the Azure Functions/security baseline doc for tracking and relevancy.
AjayKumar-MSFT
on 21 Sep 2020
@AndreasLudviksen Tak for input :smiley: - sig til, hvis du har brug mere info fra mig
madsd
on 21 Sep 2020
Got it. Thanks for taking the time guys.
AndreasLudviksen
on 21 Sep 2020
Related issues
mrdfuse
·
3Comments
jebeld17
·
3Comments
JeffLoo-ong
·
3Comments
behnam89
·
3Comments
jamesgallagher-ie
·
3Comments
Most helpful comment
@AndreasLudviksen Tak for input :smiley: - sig til, hvis du har brug mere info fra mig