How can you fulfill your end of the shared responsibility model (securing app, data, and access management) for web apps running on Azure App Service? A great way to start is by using Azure Private Endpoint. This is an exciting feature that isn’t shared in Azure docs—keep reading for more information.
Azure Private Endpoint enables you to secure your web app by eliminating direct public exposure. The connection between the private endpoint and the web app uses a secure private link and it is used only for incoming flows to your web app.
After you have protected the web app, it’s recommended to add an extra layer of security as a one-two punch against potential attacks. Ideally, the security solution provides ingress and egress traffic inspection, as well as virtual patching to seal off vulnerabilities sooner.
Trend Micro Cloud One™ – Network Security is a powerful, seamless solution that deploys transparently in hybrid and multi-cloud environments to protect apps immediately. Designed with developers in mind, Network Security integrates with communication and ticketing tools to ensure you and your team can quickly respond to validated issues. Virtual patching acts as a band-aid to stop the bleeding and infections, helping you stay compliant and minimizing workflow disruptions.
In the below architecture, we have Network Security Virtual Appliances (NSVA) deployed in HA (active-active) pair to inspect all the incoming request traffic from the Internet sent via the Azure firewall to the Azure App Service. We leverage Azure user defined routes (UDR) to send the response back to NSVA for inspection and then to the Azure firewall to be sent out.