Allow Azure AD App Proxy Apps to use the Azure Web Application Firewall (WAF)
Applications published with the Azure AD Application Proxy should be allowed to be configured to have traffic go through the Azure Web Application Firewall (WAF). We currently have to purchase a 3rd party WAF instead of using the Azure WAF when publishing applications.
This should be built-in functionality that can be added onto the Azure AD App Proxy configuration.
We need more feedback around what are the key scenarios you want to accomplish with this integration. Please share with us more feedback on this as we continue investigating options for this,
Joosua_ Santasalo commented
I did recently some experimental testing with retrofitting the two https://securecloud.blog/2020/01/02/experimental-testing-azure-ad-application-proxy-with-azure-application-gateway-waf/
we installed azure web application proxy with connector. we run applicative PT (owasp top 10) we found XSS possible, we found unrestricted url's and so forth. isnt that enough evidence for you guys to realize that authentication only by itself doesnt solve anything related to application security. e.g. owasp top 10. ? do you realize that anything out of top10 like injection and xss are very simple and very effective things to do over the "authenticated" channel ? dont you guys realize that password of any user can be stolen relatively easy ? what other feedback you need ? lets get to work.
Combine WAF with the Application Proxy is a necessary feature. Is there any option to combine these two? any plan for that?
Christopher Brumm commented
today the app proxy works very well for scenarios with trusted devices where no additional protection is needed. But if you want to publish the apps for your partners or public an integration with a WAF can become necessary. We'd really appreciate this feature, because we have a lot of customers who want to publish their (legacy) apps and would like to protect them with a WAF.
Does anyone know a way to combine both services until there is a buid-in integration?
Hello Azure AD Team,
The key scenario is pretty simple. We are publishing internal applications with the Azure AD Application Proxy, and we would like to protect them with Web Application Firewall functionality. It looks like these are two separate services, with no way to integrate them. Please feel free to reach out to me directly if you have additional questions. I submitted the original request in 2017.
I have published many internal services through Azure Application Proxy (AAP) for business, but AAP does not protect applications from application-level attacks (such as SQL-injection, XSS, Cross site scripting, and others).
How can I use Azure WAF to protect my internal applications published through Azure?
Has there been any documentation posted yet on how to layer these two services? Thank you.
Any updates here?
George D commented
any update here? looking for the best of application gateway and application proxy features.
George D commented
any update here? this is something i am also looking at.
Is there someone I could work with at Microsoft to help us understand the steps while you are working on the smoother integration and documentation?
Is this planned, or possible?