The rise of cloud computing – and Platform as a Service (PaaS) and Container as a Service (CaaS) offerings in particular – is changing the way companies deploy and operate their business applications. One of the most important challenges when designing cloud applications is choosing fully managed cloud services that reduce costs and time‑consuming operational tasks without compromising security.
This blog post shows you how to host applications on Microsoft Azure App Service and secure them with NGINX Plus to prevent attacks from the Internet.
Microsoft Azure App Service is an enterprise‑grade and fully managed platform that allows organizations to deploy web, API, and mobile apps in Microsoft Azure without managing the underlying infrastructure, as shown in Figure 1. Azure App Service provides the following main features:
With Azure App Service, Microsoft provides a rich and fast way to run web applications on the cloud. Indeed, developers can develop their applications locally using ASP.NET, Java, Node.js, PHP, and Python and easily deploy them to Azure App Service with Microsoft Visual Studio or the Azure CLI. DevOps teams can also benefit from Azure App Service’s continuous deployment feature to deploy application releases quickly and reliably on multiple environments.
Applications on Azure App Service can access other resources deployed on Azure or can establish connections over VPNs to on‑premises corporate resources.
Basically, an application created with Azure App Service is exposed directly to the Internet and assigned to a subdomain of azurewebsites.net. For more security, you can protect your app with SSL termination, or with authentication and authorization protocols such as OAuth2 or OpenID Connect (OIDC). However, it is not possible to customize the network with fine‑grained outbound and inbound security rules or apply middleware such as a web application firewall (WAF) to prevent malicious attacks or exploits that come from the Internet.
If you run sensitive applications in Azure App Service and want to protect them, you can use Azure App Service Environments (ASEs). An ASE is an isolated environment deployed into a virtual network and dedicated to a single customer’s applications. Thus, you gain more control over inbound and outbound application network traffic.
With ASEs you can deploy web, API, mobile, or functions apps inside a more secure environment at very high scale, as shown in Figure 2.
There are two versions of the ASE: ASE v1 and ASE v2. In this post we’re discussing ASE v2.
You can create a new ASE v2 manually by using the Azure Portal, or automatically by using Azure Resource Manager.
When creating a new ASE, you have to choose between two deployment types:
In the following example, we’re choosing an ILB ASE to prevent access from the Internet. Thus, applications deployed in our ASE are accessible only from virtual machines (VMs) running in the same network. The following two commands use Azure Resource Manager and the Azure CLI to provision a new ILB ASE v2:
$ azure config mode arm$ azure group deployment create my-resource-group my-deployment-name --template-uri https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/201-web-app-asev2-ilb-create/azuredeploy.json
If, on the other hand, you want your app to be reachable from the Internet, you have to protect it against malicious attackers that might attempt to steal sensitive information stored in your application.
To secure applications at Layer 7 in an ASE, you have two main choices:
(You can substitute a custom application delivery controller [ADC] with WAF capabilities, but we don’t cover that use case here.)
The choice of solution depends on your security constraints. On one hand, Azure Application Gateway provides a turnkey solution for security enforcement and doesn’t require you to maintain the underlying infrastructure. On the other hand, deploying NGINX Plus on VMs gives you a powerful stack with more control and flexibility to fine‑tune your security rules.
Choosing between Azure Application Gateway and NGINX Plus to load balance and secure applications created inside an ASE requires a good understanding of the features provided by each solution. While Azure Application Gateway works for simple use cases, for complex use cases it does not provide many features that come standard in NGINX Plus.
The following table compares support for load‑balancing and security features in Azure Application Gateway and NGINX Plus. More details about NGINX Plus features appear below the table.
Feature | Azure Application Gateway | NGINX Plus |
---|---|---|
Mitigation capability | Application layer (Layer 7) | Application layer (Layer 7) |
HTTP-aware | ✅ | ✅ |
HTTP/2-aware | ❌ | ✅ |
WebSocket-aware | ❌ | ✅ |
SSL offloading | ✅ | ✅ |
Routing capabilities | Simple decision based on request URL or cookie‑based session affinity | Advanced routing capabilities |
IP address-based access control lists | ❌ (must be defined at the web-app level in Azure) | ✅ |
Endpoints | Any Azure internal IP address, public Internet IP address, Azure VM, or Azure Cloud Service | Any Azure internal IP address, public Internet IP address, Azure VM, or Azure Cloud Service |
Azure Vnet support | Both Internet‑facing and internal (Vnet) applications | Both Internet‑facing and internal (Vnet) applications |
WAF | ✅ | ✅ |
Volumetric attacks | Partial | Partial |
Protocol attacks | Partial | Partial |
Application-layer attacks | ✅ | ✅ |
HTTP Basic Authentication | ❌ | ✅ |
JWT authentication | ❌ | ✅ |
OpenID Connect SSO | ❌ | ✅ |
As you can see, NGINX Plus and Azure Application Gateway both act as ADCs with Layer 7 load‑balancing features plus a WAF to ensure strong protection against common web vulnerabilities and exploits.
NGINX Plus provides several additional features missing from Azure Application Gateway:
For additional security, you can deploy Azure DDoS Protection to mitigate threats at Layers 3 and 4, complementing the Layer 7 threat‑mitigation features provided by Azure Application Gateway or NGINX Plus.
Figure 3 shows how to combine NGINX Plus and Azure App Service to provide a secure environment for running business applications in production. This deployment strategy uses NGINX Plus for its load balancing and WAF features.
The deployment combines the following components:
Azure App Service Environment – This sample deployment utilizes two sample web applications – Web App 1 and Web App 2 – to demonstrate how to secure and load balance different web apps with NGINX Plus. In NGINX Plus, you distribute requests to different web applications by configuring distinct upstream
blocks, and do content routing based on URI with location
blocks. The following shows the minimal NGINX Plus configuration that meets this goal (here all requests go to the same upstream group):
upstream backend { server IP-address-of-your-ASE-ILB;
}
server {
location / {
proxy_set_header Host $host;
proxy_pass http://backend;
}
}
Azure also supports resource groups as an easy way to group the Azure resources for an application in a logical manner. Using a resource group has no impact on infrastructure design and topology, and we don’t show them here.
An Azure VM scale set gives you the power of virtualization with the ability to scale at any time without having to buy and maintain the physical hardware that supports scaling. However, you are still responsible for maintaining the VM by performing tasks such as configuring, patching, security updating, and installing the software that runs on it.
In the architecture shown in Figure 4, NGINX Plus instances are deployed for active‑active high availability inside an Azure VM scale set. An active‑active setup is great because all of the NGINX Plus VMs can handle an incoming request routed by Azure Load Balancer, giving you cost‑efficient capacity.
With Azure VM scale sets, you can also easily set up autoscaling of NGINX Plus instances based on average CPU usage. You need to take care to synchronize the NGINX Plus config files in this case. You can use the NGINX Plus configuration sharing feature for this purpose, as described in the NGINX Plus Admin Guide.
By using Azure App Service for your cloud applications and NGINX Plus in front of your web apps, API, and mobile backends, you can load balance and secure these applications at a global scale. By using NGINX Plus in conjunction with Azure App Service, you get a fully load‑balanced infrastructure with a high level of protection against exploits and attacks from the web. This ensures a robust design to run critical applications in production in a secure way.
Web Apps overview (Microsoft)
Introduction to the App Service Environments (Microsoft)
Create an application gateway with a web application firewall using the Azure portal (Microsoft)
Compare features in NGINX Open Source and NGINX Plus (NGINX)
HTTP Load Balancing (NGINX)
Guest co‑author Cedric Derue is a Solution Architect and Microsoft MVP at Altran. Guest co‑author Vincent Thavonekham is Microsoft Regional Director and Azure MVP at VISEO.
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."