Web Application Firewall (WAF) on SWA

[ozkary]

Hi,

We would like to use a WAF to manage exploits and vulnerabilities for the Static Web App. We need to do common things like IP restrictions, Bot detection and other common rules.

Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

What are the recommendations for this use case?

I thank you for your time.

[miwebst]

Hey @ozkary,

As you mentioned above, you can use an Azure App Gateway and add the default hostname (or custom domain but note you will need to add it to the app gateway) as a backend in the backend pools section.

Similarly Azure Front Door also has a WAF option at the edge: https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview. You can also specify the default hostname as the backend pool in this scenario.

The remaining question you might have is "how do I lock down traffic from my WAF to my SWA?" For this we have an improvement coming in the next few weeks :)

[anthonychu]

You can now lock down traffic from Application Gateway to your static web app using IP restrictions. You'll also want to configure the allowed forwarded hosts with the domains configured on Application Gateway.