Applies To:

Show Versions Show Versions

Manual Chapter: Creating an F5 Web Application Firewall in Azure
Manual Chapter
Table of Contents   |   Next Chapter >>

Web application firewalls (WAFs) in Azure

You can secure your web applications by creating a web application firewall (WAF) that uses the Local Traffic Manager™ (LTM®) and Application Security Manager™ (ASM™) modules. In Azure Security Center, the BIG-IP® VE instances are configured as a WAF for you, complete with traffic monitoring in Azure. The F5 WAF solution has more than 2600 signatures at its disposal to identify and block unwanted traffic.

When you secure your applications by using an F5 WAF, the BIG-IP VE instances are all in Active status (not Active-Standby), and are used as a single WAF, for redundancy and scalability, rather than failover. If one WAF goes down, Azure will keep load balancing to the other.

This WAF deployment is semi-automatic. In an automatic deployment, Azure Security Center discovers your application and configures ports, IP addresses, and protocols automatically. A semi-automatic deployment is more flexible: you can configure the networking for your application, and because of this, Platform as a Service (PaaS) is supported.

For example, if you are using a PaaS solution, like an Azure App Service Environment application or App Service Plan application, the deployment would look something like this:

If you use the WAF with IaaS (virtual machines), the diagram is slightly different.

In both cases, as traffic passes through the WAF, alerts are sent to Azure about possible violations. The amount of traffic that is flagged depends on the security blocking level you choose when you create the WAF.

F5 WAF instance types and pricing tiers

When you secure web applications with an F5 WAF, you must choose an Azure instance type.

The following instances are recommended minimums; you can choose bigger instances if you want.
Cores BIG-IP VE Throughput (Hourly Only) Minimum Azure Instance
2 25 Mbps Standard_D2_v2, Standard_DS2_v2
4 200 Mbps Standard_A3 or Standard_D3_v2, Standard_DS3_v2
8 1 Gbps Standard_A4, Standard_A7, or Standard_D4_v2, Standard_DS4_v2

Security blocking levels

The security blocking level determines how much traffic is blocked and alerted by the F5 WAF.

Attack signatures are rules that identify attacks on a web application and its components. The WAF has at least 2600 attack signatures available. The higher the security level you choose, the more traffic that is blocked by these signatures.

Level Details
High The most attack signatures enabled. A large number of false positives may be recorded; you must correct these alerts for your application to function correctly.
Medium A balance between logging too many violations and too many false positives.
Low The fewest attack signatures enabled. There is a greater chance of possible security violations making it through to the web applications, but a lesser chance of false positives.
Off Violations are logged but no traffic is blocked.
Custom If you have an ASM security policy, you can upload it. For more information, see https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/33.html#unique_697805654.

For all levels except Custom, the WAF learns from traffic that is not blocked. Over time, if the WAF determines that traffic is safe, it allows it through to the application. Alternately, the WAF can determine that traffic is unsafe and block it from the application.

Where to deploy from

Depending on the Azure environment where your applications are running, and the F5 license you have, you must deploy your WAF from either the Azure Marketplace or the Azure Security Center (ASC).

Azure Environment F5 License Deploy From Notes
App Service Environment BYOL Azure Security Center (ASC)  
App Service Plan BYOL Azure Marketplace No logging will show in ASC
IaaS (virtual machine) BYOL Azure Security Center (ASC)  
App Service Environment Hourly Azure Marketplace No logging will show in ASC
App Service Plan Hourly Azure Marketplace No logging will show in ASC
IaaS (virtual machine) Hourly Azure Marketplace No logging will show in ASC

Create an F5 WAF from Azure Security Center

Before you create a WAF, you need a web application hosted in Azure, with a public IP address and ports 80 and/or 443 open. When the application is hosted in Azure, messages sent from the BIG-IP VE firewall will be displayed in Azure Security Center.
Create an F5 WAF to secure your application. Web applications can be hosted on Azure virtual machines (IaaS) or the Azure App Service (PaaS).
Note: The following steps are for a deployment from the Azure Security Center. You may need to deploy from the Azure Marketplace instead; see the Where to deploy from topic for details.
  1. Log in to the Azure portal, portal.azure.com.
  2. In the left pane, click Browse > Security Center .
  3. Click the Recommendations widget.
  4. From the list of recommendations, select Add a web application firewall.
  5. From the list of applications, click the web application you want to secure.
  6. On the Add a Web Application Firewall blade, click Create New and then click F5 Networks.
  7. On the Choose package blade, click F5 Networks Semi-automatically provisioned.
  8. At the bottom of the F5 WAF Solution blade, click Create.
  9. Complete the fields on the Basics blade and click OK.
  10. Complete the fields on the Infrastructure Settings blade.
    Option Description
    Deployment Name A unique name that you haven't used for previous deployments.
    F5 WAF Username The username you will use to access BIG-IP VE.
    F5 WAF Password Use a strong password. You will need this if you want to connect to BIG-IP VE.
    Number of WAFs Choose two WAFs for increased bandwidth.
    License Token The license key from F5.
    Licensed Bandwidth Throughput is limited to the threshold you choose.
    Storage Account Choose a new or existing storage account. Both standard and premium storage are supported.
    Virtual machine size A list of sizes recommended for the selected storage account type is displayed.
    Public IP address Select a new or existing public IP address.
    Domain name label The BIG-IP will be accessible by a name like F5WAF.westus.cloudapp.azure.com. The label you enter will be the first part of the name.
    Virtual network Select a new or existing virtual network.
    Subnets For the Subnet address prefix, ensure that there are available IP addresses to be used for the BIG-IP VE instances.
    Restricted source network or address The IP address or range of addresses that can access the BIG-IP Configuration utility.
  11. Click OK.
  12. Complete the Application Settings blade. The fields you must complete are based on the application protocol you select.
    Option Description
    Application Protocol The protocol used to connect to your application.
    Application Address The public IP address or fully qualified domain name of the application; for Azure App Services, use the Azure App Service subdomain name.
    Application Port The port your application listens on for unencrypted traffic.
    Application Secure Port The port your application listens on for encrypted traffic.
    Application Type The type of application you want to secure. All applications behind the WAF will use signatures specific to this application type. If the exact application type you're using is not listed, choose something similar, or choose Generic.
    Security Blocking Level The level of traffic you want to flag as insecure. All applications behind the WAF will use this level. The higher the level, the more traffic that is blocked. The lower the level, the more chances that insecure traffic will make it through to your application. See the Security blocking levels topic for more information.
    SSL Certificate Upload The SSL certificate and key (in .pfx format) corresponding to the application's public virtual server.
    Certificate Passphrase The passphrase for the SSL certificate.
    Application Platform If the application is on an Azure virtual machine, choose IaaS. If your application is on an Azure App Service Environment or App Service Plan, choose PaaS.
    Application Platform FQDN For PaaS, the fully qualified domain name that clients will use to access the Azure App Service.
  13. Click OK.
  14. On the Summary blade, click OK.
  15. On the Buy blade, click Purchase.

The WAF is created behind an Azure load balancer. This deployment may take up to 45 minutes to complete.

However, traffic is not yet going to the application servers. You must first finalize the setup.

Create an F5 WAF from Azure Marketplace

Before you create a WAF, you need a web application hosted in Azure, with a public IP address and ports 80 and/or 443 open.
Create an F5 WAF to secure your application. Web applications can be hosted on Azure virtual machines (IaaS) or the Azure App Service (PaaS).
Note: The following steps are for a deployment from Azure Marketplace. You may be able to deploy from the Azure Security Center instead; see the Where to deploy from topic for details.
  1. Log in to the Microsoft Azure Portal at https://portal.azure.com.
  2. On the Dashboard, select Marketplace.
  3. In the Filter field, type F5 WAF Solution Hourly and press Enter.
  4. Click the name of the solution.
  5. At the bottom of the F5 WAF Solution blade, click Create.
  6. Complete the fields on the Basics blade and click OK.
  7. Complete the fields on the Infrastructure Settings blade.
    Option Description
    Deployment Name A unique name that you haven't used for previous deployments.
    F5 WAF Username The username you will use to access BIG-IP VE.
    F5 WAF Password Use a strong password. You will need this if you want to connect to BIG-IP VE.
    Number of WAFs Choose two WAFs for increased bandwidth.
    Licensed Bandwidth Throughput is limited to the threshold you choose.
    Storage Account Choose a new or existing storage account. Both standard and premium storage are supported.
    Virtual machine size A list of sizes recommended for the selected storage account type is displayed.
    Public IP address Select a new or existing public IP address.
    Domain name label The BIG-IP will be accessible by a name like F5WAF.westus.cloudapp.azure.com. The label you enter will be the first part of the name.
    Virtual network Select a new or existing virtual network.
    Subnets For the Subnet address prefix, ensure that there are available IP addresses to be used for the BIG-IP VE instances.
    Restricted source network or address The IP address or range of addresses that can access the BIG-IP Configuration utility.
  8. Click OK.
  9. Complete the Application Settings blade. The fields you must complete are based on the application protocol you select.
    Option Description
    Application Protocol The protocol used to connect to your application.
    Application Address The public IP address or fully qualified domain name of the application; for Azure App Services, use the Azure App Service subdomain name.
    Application Port The port your application listens on for unencrypted traffic.
    Application Secure Port The port your application listens on for encrypted traffic.
    Application Type The type of application you want to secure. All applications behind the WAF will use signatures specific to this application type. If the exact application type you're using is not listed, choose something similar, or choose Generic.
    Security Blocking Level The level of traffic you want to flag as insecure. All applications behind the WAF will use this level. The higher the level, the more traffic that is blocked. The lower the level, the more chances that insecure traffic will make it through to your application. See the Security blocking levels topic for more information.
    SSL Certificate Upload The SSL certificate and key (in .pfx format) corresponding to the application's public virtual server.
    Certificate Passphrase The passphrase for the SSL certificate.
    Application Platform If the application is on an Azure virtual machine, choose IaaS. If your application is on an Azure App Service Environment or App Service Plan,choose PaaS.
    Application Platform FQDN For PaaS, the fully qualified domain name that clients will use to access the Azure App Service.
  10. Click OK.
  11. On the Summary blade, click OK.
  12. On the Buy blade, click Purchase.

The WAF is created behind an Azure load balancer. This deployment may take up to 45 minutes to complete.

However, traffic is not yet going to the application servers. You must first finalize the setup.

Finalize the WAF

Update your DNS records to point to the WAF public IP address.
Then, you can finalize the WAF by allowing traffic from the WAF to access your application servers and the Azure Load Balancer in front of your applications. You must also deny traffic from the internet.
  1. In the Azure portal, open the Network Security Group associated with your application.
  2. Click the Inbound security rules label.
  3. Note the priority number for each existing rule. You are going to create at least three new rules for each application, and they must be higher priority (lower numbers) than the existing rules.
    Note: The lowest number you can use is 100. If 100, 101, and 102 are already in use, you must re-create existing rules and assign a higher number to each, so that these numbers are available.
  4. On the Inbound security rules blade, click Add.
  5. Allow the WAF to access the application server.
    Option Description
    Name A unique, descriptive name for the rule, for example allow_http_waf_appsrv0.
    Priority A unique priority that is lower than any other security rule.
    Source Choose CIDR block.
    Source IP address range The public IP address of the Azure Load Balancer in front of the WAF devices, in CIDR notation. For example, if the IP address is 52.160.108.42, you would enter 52.160.108.42/32. You can find the public IP address in the resource group for the WAF; it is usually named waf-pip.
    Service The service on the application server, for example HTTP or HTTPS.
    Protocol Choose TCP.
    Port range The TCP port on which your application server listens for traffic, for example, 80.
    Action Choose Allow.
  6. Click OK.
  7. Allow the WAF to access the Azure Load Balancer in front of your application servers.
    Option Description
    Name A unique, descriptive name for the rule, for example allow_http_alb_appsrv0.
    Priority A unique priority that is just above the previous rule.
    Source Choose Tag.
    Source tag Choose AzureLoadBalancer.
    Service The service on the application server, for example HTTP or HTTPS.
    Protocol Choose TCP.
    Port range The TCP port on which your application server listens for traffic, for example, 80.
    Action Choose Allow.
  8. Click OK.
  9. Deny internet traffic from getting to the application server.
    Option Description
    Name A unique, descriptive name for the rule, for example deny_http.
    Priority A unique priority that is just above the previous rule.
    Source Choose Tag.
    Source tag Choose Internet.
    Service Choose Custom.
    Protocol Choose Any.
    Port range The TCP port on which your application server listens for traffic, for example, 80.
    Action Choose Deny.
  10. Click OK.
  11. Repeat these steps for each application server in the deployment.
You should no longer be able to access the application from the internet. Instead, you should be able to access the application by using the public IP address of the Azure Load Balancer for the WAF.

Automatically update signatures

You must update settings in BIG-IP® VE to ensure that the latest signatures are used for the WAF.
  1. In the Azure portal, in the left pane, click Browse > Resource groups .
  2. Click the name of your resource group and then in the SETTINGS area, click Deployments.
  3. Click the original deployment.
  4. In the Outputs section, copy the GUI-URL.
  5. Open a web browser window and paste the text.
    The BIG-IP Configuration utility opens.
  6. Log in to the BIG-IP Configuration utility with the username azureuser and the password you specified when you created the WAF.
  7. On the Main tab, click Security > Security Updates > Application Security .
  8. For the Update Mode setting, click Scheduled.
  9. Select the update interval and click Save Settings.
Signatures are now updated at the interval you specified.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)