Edit

Share via

Protect Azure Container Apps with Web Application Firewall on Application Gateway

When you host your apps or microservices in Azure Container Apps, you might not want to publish them directly to the internet. Instead, you might want to expose them through a reverse proxy.

A reverse proxy is a service that sits in front of one or more services. It intercepts and directs incoming traffic to the right destination.

With reverse proxies, you can place services in front of your apps that support cross-cutting functionality, including:

  • Routing
  • Caching
  • Rate limiting
  • Load balancing
  • Security layers
  • Request filtering

This article shows how to protect your container apps by using a Web Application Firewall (WAF) on Azure Application Gateway with an internal Container Apps environment.

For more information on networking concepts in Container Apps, see Networking Environment in Azure Container Apps.

Prerequisites

  • Internal environment with virtual network: Have a container app that's on an internal environment and integrated with a virtual network. For more information on how to create a virtual network integrated app, see provide a virtual network to an internal Azure Container Apps environment.

  • Security certificates: If you need to use TLS/SSL encryption to the application gateway, you need a valid public certificate to bind to your application gateway.

Retrieve your container app's domain

Use the following steps to retrieve the values of the default domain and the static IP to set up your Private DNS Zone.

  1. From the resource group's Overview window in the portal, select your container app.

  2. On the Overview window for your container app resource, select the link for Container Apps environment.

  3. On the Overview window for your container app environment resource, select JSON View in the upper right-hand corner of the page to view the JSON representation of the container apps environment.

  4. In the JSON view, locate the properties section and find the following values:

    • Default domain: Look for properties.defaultDomain or properties.environmentFqdn

    • Static IP: Look for properties.staticIp

  5. Copy these values and paste them into a text editor. You use the default domain value when you create a private DNS zone in the next section.

Create and configure an Azure Private DNS zone

To create and configure an Azure Private DNS zone, complete the following steps:

  1. Go to the Azure portal.

  2. In the search bar, enter Private DNS Zone.

  3. Select Private DNS Zone from the search results.

  4. Select Create.

  5. Enter the following values:

    Setting Action
    Subscription Select your Azure subscription.
    Resource group Select the resource group of your container app.
    Name Enter the default domain property of the Container Apps Environment from the previous section (either defaultDomain or environmentFqdn).
    Resource group location Leave as the default. You don't need a value because Private DNS Zones are global.

  6. Select Review + create. After validation finishes, select Create.

  7. After the private DNS zone is created, select Go to resource.

  8. In the Overview window, select +Record set to add a new record set.

  9. In the Add record set window, enter the following values:

    Setting Action
    Name Enter *.
    Type Select A-Address Record.
    TTL Keep the default values.
    TTL unit Keep the default values.
    IP address Enter the static IP property of the Container Apps Environment from the previous section (staticIp).

  10. Select OK to create the record set.

  11. Select +Record set again to add a second record set.

  12. In the Add record set window, enter the following values:

    Setting Action
    Name Enter @.
    Type Select A-Address Record.
    TTL Keep the default values.
    TTL unit Keep the default values.
    IP address Enter the static IP property of the Container Apps Environment from the previous section (staticIp).

  13. Select OK to create the record set.

  14. Select the Virtual network links window from the menu on the left side of the page.

  15. Select +Add to create a new link with the following values:

    Setting Action
    Link name Enter my-vnet-pdns-link.
    I know the resource ID of virtual network Leave it unchecked.
    Virtual network Select the virtual network your container app is integrated with.
    Enable auto registration Leave it unchecked.

  16. Select OK to create the virtual network link.

Create and configure Azure Application Gateway

To create and configure an Azure Application Gateway, complete the following steps:

  1. Go to the Azure portal.

  2. In the search bar, enter Application Gateway.

  3. Select Application Gateway from the search results.

Now, enter the required details under the Basics tab, Frontends tab, Backends tab, and Configuration tab.

Basics tab

Perform the following steps:

  1. Enter the following values in the Project details section.

    Setting Action
    Subscription Select your Azure subscription.
    Resource group Select the resource group for your container app.
    Application gateway name Enter my-container-apps-agw.
    Region Select the location where you provisioned your Container App.
    Tier Select WAF V2. You can use Standard V2 if you don't need WAF.
    Enable autoscaling Leave as default. For production environments, autoscaling is recommended. See Autoscaling Azure Application Gateway.
    Availability zone Select None. For production environments, Availability Zones are recommended for higher availability.
    HTTP2 Keep the default value.
    WAF Policy Select Create new and enter my-waf-policy for the WAF Policy. Select OK. If you chose Standard V2 for the tier, skip this step.
    Virtual network Select the virtual network that your container app is integrated with.
    Subnet Select Manage subnet configuration. If you already have a subnet you want to use, select that subnet and skip to the Frontends section.

  2. From within the Subnets window of my-vnet, select +Subnet and enter the following values:

    Setting Action
    Name Enter appgateway-subnet.
    Subnet address range Keep the default values.

  3. For the remainder of the settings, keep the default values.

  4. Select Save to create the new subnet.

  5. Close the Subnets window to return to the Create application gateway window.

  6. Select the following values:

    Setting Action
    Subnet Select the appgateway-subnet you created.

  7. Select Next: Frontends to proceed.

Frontends tab

Perform the following steps:

  1. On the Frontends tab, enter the following values:

    Setting Action
    Frontend IP address type Select Public.
    Public IP address Select Add new. Enter my-frontend for the name of your frontend and select OK

    Note

    For the Application Gateway v2 SKU, you need a public frontend IP. For more information, see Public and private IP address support and Manage a public IP address with an Azure Application Gateway.

  2. Select Next: Backends.

Backends tab

The backend pool routes requests to the appropriate backend servers. You can compose backend pools from any combination of the following resources:

  • NICs
  • Public IP addresses
  • Internal IP addresses
  • Virtual Machine Scale Sets
  • Fully qualified domain names (FQDN)
  • Multitenant backends like Azure App Service and Container Apps

In this example, you create a backend pool that targets your container app.

To create a backend pool, complete the following steps:

  1. Select Add a backend pool.

  2. Open a new tab and go to your container app.

  3. In the Overview window of the Container App, find the Application Url and copy it.

  4. Return to the Backends tab, and enter the following values in the Add a backend pool window:

    Setting Action
    Name Enter my-agw-backend-pool.
    Add backend pool without targets Select No.
    Target type Select IP address or FQDN.
    Target Enter the Container App Application Url you copied and remove the https:// prefix. This location is the FQDN of your container app.

  5. Select Add.

  6. On the Backends tab, select Next: Configuration.

Configuration tab

On the Configuration tab, you connect the frontend and backend pool you created by using a routing rule.

To connect the frontend and backend pool, perform the following steps:

  1. Select Add a routing rule. Enter the following values:

    Setting Action
    Name Enter my-agw-routing-rule.
    Priority Enter 1.

  2. Under Listener tab, enter the following values:

    Setting Action
    Listener name Enter my-agw-listener.
    Frontend IP Select Public.
    Protocol Select HTTPS. If you don't have a certificate you want to use, you can select HTTP
    Port Enter 443. If you chose HTTP for your protocol, enter 80 and skip to the default/custom domain section.
    Choose a Certificate Select Upload a certificate. If your certificate is stored in key vault, you can select Choose a certificate from Key Vault.
    Cert name Enter a name for your certificate.
    PFX certificate file Select your valid public certificate.
    Password Enter your certificate password.

    If you want to use the default domain, enter the following values:

    Setting Action
    Listener Type Select Basic
    Error page url Leave as No

    Alternatively, if you want to use a custom domain, enter the following values:

    Setting Action
    Listener Type Select Multi site
    Host type Select Single
    Host Names Enter the Custom Domain you wish to use.
    Error page url Leave as No

  3. Select the Backend targets tab and enter the following values:

  4. Toggle to the Backend targets tab and enter the following values:

    Setting Action
    Target type Select my-agw-backend-pool that you created earlier.
    Backend settings Select Add new.

  5. In the Add Backend setting window, enter the following values:

    Setting Action
    Backend settings name Enter my-agw-backend-setting.
    Backend protocol Select HTTPS.
    Backend port Enter 443.
    Use well known CA certificate Select Yes.
    Override with new host name Select Yes.
    Host name override Select Pick host name from backend target.
    Create custom probes Select No.

  6. Under Request Header Rewrite, configure the following settings:

    • Enable Request Header Rewrite: Select Yes.
    • Add a request header:
      • Header name: X-Forwarded-Host
      • Value: {http_req_host}

    This action ensures that the original Host header from the client request is preserved and accessible by the backend application.

  7. Select Add to add the backend settings.

  8. In the Add a routing rule window, select Add again.

  9. Select Next: Tags.

  10. Select Next: Review + create, then select Create.

You can establish a secured connection to internal-only container app environments by using private link. With private link, your Application Gateway can communicate with your Container App on the backend through the virtual network.

  1. After you create the Application Gateway, select Go to resource.

  2. From the menu on the left, select Private link, then select Add.

  3. Enter the following values:

    Setting Action
    Name Enter my-agw-private-link.
    Private link subnet Select the subnet you want to use to create the private link.
    Frontend IP Configuration Select the frontend IP for your Application Gateway.

  4. Under Private IP address settings, select Add.

  5. Select Add at the bottom of the window.

Preserve original host header for redirects and SSO

When you configure Azure Application Gateway as a reverse proxy and enable the Override with new host name setting, the Host header is modified. Modifying the header can interfere with applications that rely on the original host value to generate redirect URLs, absolute links, or support OpenID Connect (OIDC) authentication flows.

To forward the original host header, you can inject it into the X-Forwarded-Host header by using Application Gateway's request header rewrite feature.

Configure X-Forwarded-Host injection

To enable X-Forwarded-Host injection:

  1. Under the Configuration tab, select the Backend settings section of your Application Gateway routing rule:

    • Enable Request Header Rewrite.
    • Add a new request header with the following values:
      • Header name: X-Forwarded-Host
      • Value: {http_req_host}

    Your backend app can now read the original request host by using the X-Forwarded-Host header.

Note

When configuring header rewrite rules, make sure to use the correct variable syntax. Server variables must use the appropriate prefix, such as http_req_ for request headers. For troubleshooting rewrite rule configuration errors, see Rewrite HTTP headers and URL with Application Gateway.

Verify the container app

  1. Find the public IP address for the application gateway on its Overview page, or you can search for the address. To search, select All resources and enter my-container-apps-agw-pip in the search box. Then, select the IP in the search results.

  2. Go to the public IP address of the application gateway.

  3. Your request is automatically routed to the container app, which verifies the application gateway was successfully created.

Clean up resources

When you no longer need the resources that you created, delete the resource group. When you delete the resource group, you also remove all the related resources.

To delete the resource group:

  1. On the Azure portal menu, select Resource groups or search for and select Resource groups.

  2. On the Resource groups page, search for and select my-container-apps.

  3. On the Resource group page, select Delete resource group.

  4. Enter my-container-apps under TYPE THE RESOURCE GROUP NAME and then select Delete.

Next steps

Azure Firewall in Azure Container Apps

  • Last updated on