Building a Secure Infrastructure: Application Gateway and Web Application
Firewall for Azure AD B2C Migration
A critical step before migrating to Azure AD B2C is ensuring a secure web application
infrastructure. Web Application Firewall (WAF) with Azure Application Gateway helps
manage all web traffic and protect applications against common known attacks by
providing an additional layer of security for web applications integrating with Azure AD
B2C.
This helps to:
Manage and distribute web traffic efficiently.
Protect applications from security threats like SQL injection (SQLi),
cross-site scripting (XSS), and bot attacks.
Enhance compliance with security best practices (OWASP Top 10).
What is Azure Application Gateway with Web
Application Firewall (WAF)?
Azure Application Gateway
Azure Application Gateway is a Layer 7 (application layer) load balancer designed to
route and manage web traffic for applications. It offers features like:
SSL termination: Offloads SSL decryption at the gateway level to
reduce backend server load and enable deep packet inspection.
URL-based routing: Routes traffic to different backend pools based on
URL paths, allowing microservices architecture optimization.
Cookie-Based Session Affinity: Ensures a user session is consistently
routed to the same backend instance, improving user experience.
Autoscaling & Zone Redundancy: Automatically adjusts the number of
instances based on traffic and supports high availability across Azure
regions.
Web Application Firewall (WAF)
Azure WAF, is a security feature of Application Gateway that protects web applications
from malicious attacks by filtering HTTP/HTTPS traffic. It provides:
Pre-configured Managed Rule Sets (based on OWASP Top 10) to detect and
block common vulnerabilities.
Custom Security Rules to tailor protection based on business needs
(e.g., restricting access by country or IP).
Logging & Monitoring via Azure Monitor and Security Center to analyze
attack patterns and prevent security breaches.
DDoS Protection (if integrated with Azure DDoS Protection Plan) for
mitigating volumetric attacks.
Advantages of Application Gateway with
WAF
1. Protection Against Common Web Threats
Prevents attacks like SQL injection, XSS, and protocol-based
exploits.
Mitigates Layer 7 DDoS attacks (application-level threats).
For full-scale DDoS protection, must be paired with Azure DDoS
Protection to defend against volumetric (L3/L4) attacks.
2. Scalable Traffic Management
Routes traffic intelligently across backend services using URL-based
routing (path based routing).
Multi-site routing (directing different domains to different backend
pools).
Header-based routing for advanced traffic management. Auto-scales to
handle traffic spikes during migration or high-demand periods.
3. Centralized Logging and Monitoring
Integrates with Azure Monitor, Log Analytics, and Microsoft Sentinel
for detailed traffic and threat analysis.
Logs every blocked or allowed request for compliance and
troubleshooting.
4. Enhanced Security with Customizable
Rules
Supports pre-configured OWASP rule sets or allows you to create custom
rules for specific application needs.
Supports bot mitigation (blocking known bot IP ranges & rate limiting)
and geo-blocking to restrict access based on IP or region.
Licensing Requirements and Costs
Azure Application Gateway and WAF incur costs based on the following factors:
Charges depend on the number of gateway
instances and autoscaling settings.
* Standard & WAF (v1):
Requires manual instance selection (e.g.,
Medium, Large).
* Standard_v2 & WAF_v2:
Supports autoscaling, charging based on
actual usage.
Autoscaling dynamically adjusts instance
count based on traffic load.
Pricing includes data transfer charges for
inbound and outbound traffic.
* Inbound data (ingress) is free.
* Outbound data (egress) is billable but usually
not a significant cost factor for Application
Gateway.
WAF rules (e.g., OWASP managed rules) are billed
separately.
WAF pricing includes:
* Base WAF instance charges (per hour).
* Enabled WAF policies (not per rule).
* OWASP Managed Rule Set (CRS) is included at no
extra cost. Custom WAF rules do not have
additional charges unless they increase
processing overhead.
Estimated Costs:
Application Gateway (Standard_v2 or WAF_v2): $150–$300/month for a
single instance (varies by region & autoscaling).
Web Application Firewall (WAF_v2): $200+/month depending on traffic
and policies applied.
Azure DDoS Protection (if added): Starts at ~$2,944/month per
tenant.
Gotchas to Consider
Autoscaling Application Gateway can increase costs significantly
during high traffic spikes.
Outbound (egress) data transfer is billable but usually not a primary
cost driver.
Custom WAF rules do NOT increase cost directly, but excessive rules
may introduce performance overhead.
Oversizing leads to unnecessary costs, while undersizing causes
performance bottlenecks.
Azure DDoS Protection is a separate service but highly recommended for
defending against volumetric attacks.
Advantages of Application Gateway with
WAF
Comprehensive Protection: Blocks threats like SQLi,
XSS, and other OWASP Top 10 vulnerabilities. Managed rulesets (OWASP
CRS) require minimal manual tuning.
Security and Compliance: Logs and monitors attack
patterns with Azure Monitor, Sentinel, and Log Analytics. Helps meet
regulatory compliance requirements (GDPR, PCI DSS).
Scalability & Reliability: Autoscaling ensures
availability during high-traffic periods. Supports multiple backend
pools for microservices architectures.
Disadvantages of Application Gateway
with WAF
Cost Complexity: Pricing varies significantly based
on usage, SKU, and autoscaling. Estimating costs for dynamic workloads
can be difficult.
Technical Learning Curve: Requires knowledge of WAF
policies and Application Gateway configurations to maximize benefits.
Incorrectly configured rules can block legitimate traffic.
Performance Overhead: WAF introduces slight latency
due to deep packet inspection. Performance impact depends on the number
of rules enabled.
When to Use Application Gateway with WAF
Application Gateway with WAF is ideal for:
Azure AD B2C Migration: Protects customer identity
portals and APIs from potential threats during the migration process.
Defends against malicious traffic, bot attacks, and OWASP Top 10
vulnerabilities.
High-Traffic Applications: Scales efficiently for
organizations handling large volumes of web traffic. Autoscaling
(WAF_v2/Standard_v2) adjusts based on traffic demand.
Regulated Industries: Helps meet security and
compliance requirements (e.g., HIPAA, PCI DSS, GDPR). Logs and monitors
security threats for audit and forensic analysis.
Key Considerations for
Infrastructure Planning
Optimize Sizing: Start with small Application Gateway
instances and scale based on traffic patterns to manage costs.
Enable Autoscaling: Configure autoscaling to handle
spikes during user migration without manual intervention. Use WAF_v2 or
Standard_v2 for autoscaling (not available in v1 SKUs).
Integrate with Analytics Tools: Use Azure Monitor and
Sentinel to get real-time logging and actionable insights.
Combine with DDoS Protection: Recommended for
protection against volumetric (L3/L4) attacks in addition to WAF's L7
security.
Custom Rules: Configure WAF custom rules to meet the
specific application-specific threats and regional compliance
needs.
Why Application Gateway with WAF Matters
Before User Migration
When migrating users to Azure AD B2C, the potential for unauthorized access, malicious
traffic, or unplanned downtime increases. Deploying Application Gateway with WAF before
migration offers the following benefits:
Prevents Vulnerabilities: Secures customer portals
and APIs against exploitation during migration.
Reduces Migration Risks: Handles increased traffic
volumes seamlessly, ensuring a smooth user experience.
Protects Sensitive Data: Safeguards personal and
account information from being exposed during migration
activities.
Streamlines Operations: Centralized logging and
monitoring simplify troubleshooting during migration.
Conclusion
One of the critical steps in building a secure infrastructure for Azure AD B2C is
deploying Azure Application Gateway with Web Application Firewall. This will be helpful
in migration readiness because it protects against web threats, scales with demand, and
provides actionable insights.
Organizations preparing for Azure AD B2C migration should evaluate their infrastructure
needs and implement Application Gateway with WAF early in the planning process. This
proactive approach ensures a secure and seamless transition while minimizing risks to
applications and user data.
