Hardened Web App

This example scenario describes how to set up an Azure Web App within a network environment that enforces strict policies regarding inbound and outbound network flows. In such cases, the Web App may not be directly exposed to the internet but will instead require all traffic to go through an Azure Firewall or third-party network virtual appliance.

The example shows a scenario in which a web application is protected with Azure Front Door, an Azure Firewall and connects securely to an Azure SQL Databases.

The solution is comprised of several Bicep files that deploy the required infrastucture.

The main.bicep deploys the base infrastructure using Bicep modules from the following files

• network.bicep
• webapp.bicep
• firewall.bicep
• sql.bicep
• frontdoor.bicep
• routetable.bicep

1. Install Bicep and deploy main.bicep using either Azure PowerShell or Azure CLI. The bicep file has pre-configured parameters for deploying all resources.

For example, using Azure PowerShell:

New-AzResourceGroupDeployment -ResourceGroupName [resourceGroupName] -Name [frontDoorDeployment] -TemplateFile .\frontdoor.bicep

You will be asked to provide the parameters customBackendFqdn and sqladministratorLoginPassword upon deployment.

2. Take note of the Public IP Address assigned to the Azure Firewall after creation. The IP is also provided as output of the deployment of main.bicep.

3. Take note of the Custom Domain Verification ID of the Web App you just created. The Custom Domain Verification ID is also provided as output of the deployment of main.bicep.

4. Take note of the Azure SQL Server name you just created. The FQDN of the Azure SQL Server is also provided as output of the deployment of main.bicep.

5. Sign in to the website of your domain provider.

NOTE Every domain provider has its own DNS records interface, so consult the provider's documentation. Look for areas of the site labeled Domain Name, DNS, or Name Server Management. Often, you can find the DNS records page by viewing your account information and then looking for a link such as My domains. Go to that page, and then look for a link that's named something like Zone file, DNS Records, or Advanced configuration.

6. Create an A record with the Public IP you just obtained

The following screenshot is an example of a DNS records page with the A record created:

NOTE If you like, you can use Azure DNS to manage DNS records for your domain and configure a custom DNS name for Azure App Service. For more information, see Tutorial: Host your domain in Azure DNS.

7. Create a TXT record with the Custom Domain Verification ID of the Web App you just deployed. This will allow you to reuse the custom FQDN record you just created an A record for and add it to the Web App in the following steps.

The TXT record must be created in the format asuid.<subdomain> For example, if your custom FQDN is backend.contoso.com you would create the record:

asuid.backend.contoso.com TXT [DOMAIN VERIFICATION ID]

For more information, see Tutorial: Map an existing custom DNS name to Azure App Service - Create the DNS records

The following screenshot is an example of a DNS records page with the TXT record created:

8. Map the custom domain to the Web App you just created. For more information, see Tutorial: Map an existing custom DNS name to Azure App Service - Get a domain verification ID

9. Upload a SSL certificate matching your custom FQDN to your Web App. For more information, see Tutorial: Secure a custom DNS name with a TLS/SSL binding in Azure App Service

10. Your Web App should now be reachable with the public FQDN of the Azure Front Door instance.

Optional Steps

11. If you'd like, you can also bind a custom FQDN domain to Azure Front Door and configure HTTPS for the custom domain

12. You can verify that connectivity from the Web App to the Azure SQL Server is happening over a private channel by creating a Virtual Machine in the same Virtual Network used for the scenario.

    • Log into the Virtual Machine and browse to https://<webappname>.scm.azurewebsites.net where you will access the Kudu diagnostic console
    • Log in and in the top bar click on Debug console --> CMD
    • Type the command nameresolver <sqlname>.database.windows.net, using the Azure SQL Server name you retrieved in Step 4.

You should see that the Azure SQL Server instance name is being resolved with a private IP.

The following screenshot is an example of DNS resolution of the Azure SQL Server instance from the Kudu console:

13. You can also verify that outbound traffic from the Web App is going through the Azure Firewall by typing the following command in the Kudu console:
    • curl -s ifconfig.co

The output should match the public IP address of the Azure Firewall you retrieved in Step 2.

The following screenshot is an example from the Kudu console:

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Legal Notices

Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file, and grant you a license to any code in the repository under the MIT License, see the LICENSE-CODE file.

Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.

Privacy information can be found at https://privacy.microsoft.com/en-us/

Microsoft and any contributors reserve all other rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.