Governance Policies Azure Networking Application Gateway - Azure/az-prototype GitHub Wiki
Governance policies for Application Gateway
Domain: azure-networking
| Name | Description |
|---|---|
| Application Gateway WAF v2 with HTTPS and zone redundancy | Full WAF_v2 deployment with autoscaling, WAF policy, and diagnostics |
| Description | Instead |
|---|---|
| Do not deploy Application Gateway v1 | Use v2 SKU with WAF for autoscaling, zone redundancy, and web protection |
| Do not run WAF in Detection mode for production | Use Prevention mode to actively block malicious requests |
- Application Gateway documentation
- WAF on Application Gateway
- WAF: Application Gateway service guide
- Application Gateway autoscaling
- Application Gateway Key Vault integration
| Check | Severity | Description |
|---|---|---|
| AZ-AGW-001 | Required | Deploy Application Gateway v2 with WAF_v2 SKU for web application protection |
| AZ-AGW-002 | Required | Configure WAF policy in Prevention mode with OWASP 3.2 ruleset |
| AZ-AGW-003 | Required | Enforce TLS 1.2+ with strong SSL policy for all HTTPS listeners |
| AZ-AGW-004 | Recommended | Enable diagnostic settings for access logs, performance logs, and WAF logs |
| AZ-AGW-005 | Recommended | Configure autoscaling with appropriate minimum and maximum instance counts |
| AZ-AGW-006 | Recommended | Integrate Application Gateway with Key Vault for SSL/TLS certificate management |
| AZ-AGW-007 | Recommended | Configure connection draining on backend HTTP settings |
| AZ-AGW-008 | Recommended | Use HTTPS backend health probes with valid certificates |
Deploy Application Gateway v2 with WAF_v2 SKU for web application protection
Severity: Required
Rationale: v2 SKU provides autoscaling, zone redundancy, and WAF v2 includes OWASP CRS and bot protection
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/applicationGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/publicIPAddresses | pip-agw | Standard SKU static public IP for Application Gateway frontend listener |
| Microsoft.Network/virtualNetworks/subnets | snet-agw | Dedicated subnet for Application Gateway (/24 recommended) |
| Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies | waf-policy | WAF policy with OWASP CRS rules for Application Gateway protection |
| Microsoft.Insights/diagnosticSettings | diag-agw | Diagnostic settings routing access logs and WAF logs to Log Analytics |
| Microsoft.ManagedIdentity/userAssignedIdentities | id-agw | User-assigned identity for Application Gateway Key Vault SSL certificate access |
Configure WAF policy in Prevention mode with OWASP 3.2 ruleset
Severity: Required
Rationale: Detection mode only logs; Prevention mode blocks attacks. OWASP 3.2 is the latest stable ruleset
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Network/applicationGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/applicationGateways | agw | Application Gateway to associate the WAF policy with |
Enforce TLS 1.2+ with strong SSL policy for all HTTPS listeners
Severity: Required
Rationale: Older TLS versions and weak cipher suites are vulnerable to downgrade attacks
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Network/applicationGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.KeyVault/vaults | kv-certs | Key Vault storing SSL/TLS certificates for Application Gateway HTTPS listeners |
Enable diagnostic settings for access logs, performance logs, and WAF logs
Severity: Recommended
Rationale: Access logs are essential for troubleshooting; WAF logs track blocked requests
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/applicationGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for Application Gateway diagnostic logs |
Configure autoscaling with appropriate minimum and maximum instance counts
Severity: Recommended
Rationale: WAF Performance/Reliability: Autoscaling takes 3-5 minutes to provision new instances; setting a minimum based on average compute units prevents transient latency during traffic spikes
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Network/applicationGateways
Integrate Application Gateway with Key Vault for SSL/TLS certificate management
Severity: Recommended
Rationale: WAF Security: Key Vault provides stronger security, role separation, managed certificate support, and automatic renewal/rotation for SSL certificates
Agents: cloud-architect, terraform-agent, bicep-agent, security-reviewer
- Microsoft.Network/applicationGateways
Configure connection draining on backend HTTP settings
Severity: Recommended
Rationale: WAF Reliability: Connection draining ensures graceful removal of backend pool members during planned updates, draining existing connections before taking the backend out of rotation
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Network/applicationGateways
Use HTTPS backend health probes with valid certificates
Severity: Recommended
Rationale: HTTP probes send health check data in plaintext; HTTPS ensures backend communication is encrypted
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/applicationGateways