Azure Functions with Web Application Gateway & WAF

This article discusses how to allow an application function within a Microsoft Azure environment using a Web Application Gateway with a Web Application Firewall (WAF) to allow traffic between Azure resources:

Allowing Azure Function Traffic via Web Application Gateway with WAF

Azure Functions are a serverless compute service that allows you to run code on-demand without provisioning or managing infrastructure. To securely expose an Azure Function to communicate with other Azure resources or the internet, a common deployment uses an Azure Web Application Gateway with a Web Application Firewall (WAF) as a front door.

Prerequisites

• An existing Azure Function App deployed in Azure
• An Azure Virtual Network with a subnet for the Web Application Gateway
• Access to the Azure portal or Azure CLI

Step 1: Create a Web Application Gateway

1. In the Azure portal, create a new Web Application Gateway resource.
2. Configure the gateway with the following settings:
   • Tier: WAF Enabled (Choose WAF_v2 SKU for latest OWASP rules)
   • Virtual Network: Select your Virtual Network and subnet
   • Frontend IP Configuration: Create a new Public IP address
   • Backend Pool: Do not add any targets yet

Step 2: Configure WAF and Firewall Rules

1. Under the Web Application Gateway settings, go to "Web Application Firewall" and configure the following:
   • Firewall Mode: Prevention
   • Rule Set: OWASP 3.2 (or latest available)
   • Configure any additional custom rules as needed
2. Under "Frontend IP Configurations", note the Public IP address assigned.

Step 3: Configure Azure Function to Use Web Application Gateway

1. In the Azure Function App, go to "Networking" > "Configure Access Restrictions".
2. Select "Add Inbound IP Rule" and enter the Public IP address of the Web Application Gateway.
3. This will restrict the Azure Function to only accept traffic from the Web Application Gateway.

Step 4: Add Azure Function as Backend Pool in Web Application Gateway

1. In the Web Application Gateway, go to "Backend Pools" and add a new backend pool.
2. Add the Azure Function App as a target by specifying its hostname (e.g., myfunction.azurewebsites.net).

Step 5: Configure HTTP Settings and Listener

1. Under "HTTP Settings", create a new HTTP setting with the following:
   • Backend Protocol: HTTP
   • Backend Port: 80 (or the port your Function App is listening on)
   • Override Backend Path: Leave blank
2. Under "Listeners", create a new listener with the following:
   • Frontend IP: Select the Public IP address created earlier
   • Port: 80 (or desired port for HTTP traffic)

Step 6: Create a Routing Rule

1. Under "Rules", create a new routing rule with the following:
   • Listener: Select the listener created in Step 5
   • Backend Target: Select the backend pool with the Azure Function App
   • HTTP Setting: Select the HTTP setting created in Step 5

Step 7: Test Connectivity

1. Once the Web Application Gateway is deployed, you can test connectivity to the Azure Function App by accessing its URL via the Web Application Gateway's Public IP address.
2. Any traffic to the Azure Function App must now pass through the Web Application Gateway and its WAF rules.

By following these steps, you'll have securely exposed your Azure Function App to other Azure resources or the internet using a Web Application Gateway with a Web Application Firewall. The WAF will inspect and filter incoming traffic based on the configured OWASP rules, providing an additional layer of security for your serverless function.

Citations:
[1] https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway
[2] https://learn.microsoft.com/en-us/azure/application-gateway/features
[3] https://learn.microsoft.com/en-us/azure/application-gateway/configure-web-app
[4] https://stackoverflow.com/questions/49483615/azure-traffic-manager-with-application-gateway-backends
[5] https://learn.microsoft.com/en-us/azure/app-service/overview-app-gateway-integration