Applies To:

Show Versions Show Versions

Manual Chapter: Creating an F5 Web Application Firewall in Azure
Manual Chapter
Table of Contents   |   Next Chapter >>

Web application firewalls (WAFs) in Azure

You can secure your web applications by creating a web application firewall (WAF) that uses the Local Traffic Manager™ (LTM®) and Application Security Manager™ (ASM™) modules. In Azure Security Center, the BIG-IP® VE instances are configured as a WAF for you, complete with traffic monitoring in Azure. The F5 WAF solution has more than 2600 signatures at its disposal to identify and block unwanted traffic.

When you secure your applications by using an F5 WAF, the BIG-IP VE instances are all in Active status (not Active-Standby), and are used as a single WAF, for redundancy and scalability, rather than failover. If one WAF goes down, Azure will keep load balancing to the other.

The configuration will look like the following diagram, with two separate Azure resource groups: one for your application, and one for the WAF.

As traffic passes through the WAF, alerts are sent to Azure about possible violations. The amount of traffic that is flagged depends on the security blocking level you choose when you create the WAF.

F5 WAF instance types and pricing tiers

Before you secure web applications with an F5 WAF, you need a license from F5.

You choose the license and corresponding Azure instance based on the number of cores and throughput you need. The instances listed below are minimums; you can choose bigger instances if you want.
Cores Throughput Minimum Azure Instance
2 25 Mbps D2_v2
4 200 Mbps A3 Standard or D3_v2
8 1 Gbps A4 or A7 Standard or D4_v2
You select a pricing tier when you create the WAF.

Security blocking levels

The security blocking level you choose when you create the WAF determines how much traffic is blocked and alerted by the F5 WAF.

Attack signatures are rules that identify attacks on a web application and its components. The WAF has at least 2600 attack signatures available. The higher the security level you choose, the more traffic that is blocked by these signatures.

Level Details
Low The fewest attack signatures enabled. There is a greater chance of possible security violations making it through to the web applications, but a lesser chance of false positives.
Medium A balance between logging too many violations and too many false positives.
High The most attack signatures enabled. A large number of false positives may be recorded; you must correct these alerts for your application to function correctly.

All traffic that is not being blocked is being used by the WAF for learning. Over time, if the WAF determines that traffic is safe, it allows it through to the application. Alternately, the WAF can determine that traffic is unsafe and block it from the application.

You cannot change the security blocking level after you create the WAF, so be sure that you select the correct level.

Create an F5 WAF in Azure

Before you create a WAF, you need a web application hosted in Azure. This application must:
  • Have a public IP address
  • Have ports 80 and/or 443 open
  • Not use managed disks for storage
  • Be behind an Azure load balancer
When you have a web application hosted in Azure, you can create an F5 WAF to secure your application.
Important: If you make a mistake during this process, you will have to create another WAF, so be sure to select the correct settings.
  1. Log in to the Azure portal,
  2. In the left pane, click Browse > Security Center .
  3. Click the Recommendations chart.
  4. From the list of recommendations, select Add a web application firewall.
  5. From the list of applications, click the web application you want to secure.
  6. On the Add a Web Application Firewall blade, click Create New and then click F5 WAF Solution.
  7. At the bottom of the F5 WAF Solution blade, click Create.
  8. Complete the fields on the VM Configuration blade.
    Option Description
    Number of machines to deploy The number of machines in the WAF cluster. Use 2 for redundancy (if one goes down, the other continues to process traffic).
    Host A short name for the WAF (not a fully-qualified domain name). Remember this name; you will need it later.
    Password A strong password for the WAF. Remember this password; you will need it later.
    Pricing tier See the F5 WAF licensing and pricing tiers topic for more information.
    Resource group A resource group is a container for objects. You should create a new resource group. This will keep the WAF resources separate from your application resources.
    Location The location where the web application's resource group resides.
  9. You cannot change the Subscription because it is associated with the application.
  10. Click OK.
  11. Complete the WAF Information blade.
    Option Description
    License token The license token from the F5 licensing server.
    Security Blocking level The level of traffic you want to flag as unsecure. All applications behind the WAF will use this level.

    The higher the level, the more traffic that is blocked. The lower the level, the more chances that unsecure traffic will make it through to your application. See the Security blocking levels topic for more information.

    Application Type The type of application you want to secure. All applications behind the WAF will use signatures specific to this application type.

    If the exact application type you're using is not listed, choose something similar, or choose Generic.

    Web Application Public IP This value is populated based on your web application configuration.
    Internal server port This value is populated based on your web application configuration.
    HTTP or HTTPS If you choose HTTPS, you have to provide an SSL certificate and password.
    SSL Certificate Only if your app uses port 443.
    Certificate password Only if your app uses port 443.
  12. Click Create.

The WAF is created behind an Azure load balancer. This example shows a WAF cluster of two BIG-IP® VEs.

Find the WAF IP address

Before you create an F5 WAF, DNS points to the public IP address in front of your web application, and traffic flows to your application servers through that IP address.

When you create a WAF, a new public IP address is created for it. This IP address is displayed in Azure.

  1. In the Azure portal, in the left pane, click Browse > Security Center .
  2. In the Prevention area, on the Resource security health widget, click Applications.
  3. On the Applications blade, click the name of the web application.
    The blade that opens displays the WAF name and IP address, along with the web application name and IP address.
Next, be sure to type the WAF public IP address into a browser to ensure that you can use it to access your application servers.

Send traffic through the WAF to the web application

Before you start this task, confirm that traffic is flowing through the WAF to your web application.
To send all traffic to the new WAF public IP address, you update DNS to point to the WAF public IP address, and then finalize the WAF in Azure.
  1. In the Azure portal, in the left pane, click Browse > Security Center .
  2. Click the Recommendations chart.
  3. From the list of recommendations, select Finalize web application firewall setup.
  4. Select the web application.
    The WAF's public IP address is displayed.
  5. Update the DNS record for your web application to point to the WAF's public IP address.
  6. Select the I updated my DNS record check box.
  7. Click Restrict traffic.
Internet traffic now passes through BIG-IP® VE to your web application. Firewall rules in BIG-IP VE now prevent internet traffic from directly reaching your application servers.

Automatically update signatures

When you first create the WAF, the process installs the latest signatures. After that, signatures are not updated automatically. You must update settings in BIG-IP® VE to ensure that the latest signatures are used for the WAF.
  1. In the Azure portal, in the left pane, click Browse > Security Center .
  2. In the Prevention area, click the Partner solutions widget.
  3. Click the name of the WAF.
  4. Click the Solution console button.
    The BIG-IP Configuration utility opens in a new browser tab.
  5. Log in to the BIG-IP Configuration utility with the username azureuser and the password you specified when you created the WAF.
  6. On the Main tab, click Security > Security Updates > Application Security .
  7. For the Update Mode setting, click Scheduled.
  8. Select the update interval and click Save Settings.
Signatures are now updated at the interval you specified.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)