-
|
Hi, We would like to use a WAF to manage exploits and vulnerabilities for the Static Web App. We need to do common things like IP restrictions, Bot detection and other common rules. Reference: What are the recommendations for this use case? I thank you for your time. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Hey @ozkary, As you mentioned above, you can use an Azure App Gateway and add the default hostname (or custom domain but note you will need to add it to the app gateway) as a backend in the backend pools section. Similarly Azure Front Door also has a WAF option at the edge: https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview. You can also specify the default hostname as the backend pool in this scenario. The remaining question you might have is "how do I lock down traffic from my WAF to my SWA?" For this we have an improvement coming in the next few weeks :) |
Beta Was this translation helpful? Give feedback.
-
|
You can now lock down traffic from Application Gateway to your static web app using IP restrictions. You'll also want to configure the allowed forwarded hosts with the domains configured on Application Gateway. |
Beta Was this translation helpful? Give feedback.
-
|
This is really making a difference now. Great gateway support like front-door Restrict traffic to only use Front Door by adding the following section to the configuration file: Open staticwebapp.config.json to make the changes: "networking": { To define which Azure Front Door instances and domains can access your site, add the forwarding Gateway section. "forwardingGateway": { First, configure your app to only allow traffic from your Front Door instance. In every backend request, Front Door automatically adds an X-Azure-FDID header that contains your Front Door instance ID. By configuring your static web app to require this header, it will restrict traffic exclusively to your Front Door instance. In the forwarding Gateway section in your configuration file, add the required Headers section and define the X-Azure-FDID header. Replace with the Front Door ID you set aside earlier. Reference https://docs.microsoft.com/en-us/azure/static-web-apps/front-door-manual |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @ozkary |
Beta Was this translation helpful? Give feedback.
Hey @ozkary,
As you mentioned above, you can use an Azure App Gateway and add the default hostname (or custom domain but note you will need to add it to the app gateway) as a backend in the backend pools section.
Similarly Azure Front Door also has a WAF option at the edge: https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview. You can also specify the default hostname as the backend pool in this scenario.
The remaining question you might have is "how do I lock down traffic from my WAF to my SWA?" For this we have an improvement coming in the next few weeks :)