You can secure your web applications by creating a web application firewall (WAF) that uses the Local Traffic Manager™ (LTM®) and Application Security Manager™ (ASM™) modules. In Azure Security Center, the BIG-IP® VE instances are configured as a WAF for you, complete with traffic monitoring in Azure. The F5 WAF solution has more than 2600 signatures at its disposal to identify and block unwanted traffic.
When you secure your applications by using an F5 WAF, the BIG-IP VE instances are all in Active status (not Active-Standby), and are used as a single WAF, for redundancy and scalability, rather than failover. If one WAF goes down, Azure will keep load balancing to the other.
The configuration will look like the following diagram, with two separate Azure resource groups: one for your application, and one for the WAF.
As traffic passes through the WAF, alerts are sent to Azure about possible violations. The amount of traffic that is flagged depends on the security blocking level you choose when you create the WAF.
Before you secure web applications with an F5 WAF, you need a license from F5.
|Cores||Throughput||Minimum Azure Instance|
|4||200 Mbps||A3 Standard or D3_v2|
|8||1 Gbps||A4 or A7 Standard or D4_v2|
The security blocking level you choose when you create the WAF determines how much traffic is blocked and alerted by the F5 WAF.
Attack signatures are rules that identify attacks on a web application and its components. The WAF has at least 2600 attack signatures available. The higher the security level you choose, the more traffic that is blocked by these signatures.
|Low||The fewest attack signatures enabled. There is a greater chance of possible security violations making it through to the web applications, but a lesser chance of false positives.|
|Medium||A balance between logging too many violations and too many false positives.|
|High||The most attack signatures enabled. A large number of false positives may be recorded; you must correct these alerts for your application to function correctly.|
All traffic that is not being blocked is being used by the WAF for learning. Over time, if the WAF determines that traffic is safe, it allows it through to the application. Alternately, the WAF can determine that traffic is unsafe and block it from the application.
You cannot change the security blocking level after you create the WAF, so be sure that you select the correct level.
|Number of machines to deploy||The number of machines in the WAF cluster. Use 2 for redundancy (if one goes down, the other continues to process traffic).|
|Host||A short name for the WAF (not a fully-qualified domain name). Remember this name; you will need it later.|
|Password||A strong password for the WAF. Remember this password; you will need it later.|
|Pricing tier||See the F5 WAF licensing and pricing tiers topic for more information.|
|Resource group||A resource group is a container for objects. You should create a new resource group. This will keep the WAF resources separate from your application resources.|
|Location||The location where the web application's resource group resides.|
|License token||The license token from the F5 licensing server.|
|Security Blocking level||The level of traffic you want to flag as unsecure. All applications
behind the WAF will use this level.
The higher the level, the more traffic that is blocked. The lower the level, the more chances that unsecure traffic will make it through to your application. See the Security blocking levels topic for more information.
|Application Type||The type of application you want to secure. All applications behind
the WAF will use signatures specific to this application type.
If the exact application type you're using is not listed, choose something similar, or choose Generic.
|Web Application Public IP||This value is populated based on your web application configuration.|
|Internal server port||This value is populated based on your web application configuration.|
|HTTP or HTTPS||If you choose HTTPS, you have to provide an SSL certificate and password.|
|SSL Certificate||Only if your app uses port 443.|
|Certificate password||Only if your app uses port 443.|
The WAF is created behind an Azure load balancer. This example shows a WAF cluster of two BIG-IP® VEs.
Before you create an F5 WAF, DNS points to the public IP address in front of your web application, and traffic flows to your application servers through that IP address.
When you create a WAF, a new public IP address is created for it. This IP address is displayed in Azure.