topic Re: Cloudguard appsec and azure app service in WAF

Cloudguard appsec and azure app service

Michael_Thompso — Wed, 29 Dec 2021 01:56:25 GMT

Hi,
Can cloudguard appsec protect PaaS service like azure app service ?

Re: Cloudguard appsec and azure app service

Shay_Levin — Wed, 29 Dec 2021 10:56:18 GMT

No, it can't as the certificate and private key can't be exported from Azure Paas.

So if AppSec doesn't have the private key, it can't intercept the traffic, also it can only protect web services.

If you are using PaaS DB or Storage service, AppSec is not the relevant product.

The same for CloudGuard Network Security. you can protect your PaaS service up to the transport layer (4), the GW won't be able to catch many of the IPS signatures for example.

In order to use CloudGuard Network security with PaaS, you will need to use a private endpoint and UDR.

We will have an SK that explains exactly how to do that in a few days.

Re: Cloudguard appsec and azure app service

Michael_Thompso — Wed, 29 Dec 2021 15:11:27 GMT

Thanks for your response. Follow-up question since you brought up certs. For every application we want protected by appsec we would need to upload the cert to appsec correct? Also, when it comes to renewing the certs we would have to upload it again. Is there a more efficient way to handle certificate management if we had 100s of web apps to protect?

Re: Cloudguard appsec and azure app service

Shay_Levin — Thu, 30 Dec 2021 11:01:00 GMT

No, the certificates are being managed on the cloud provider, it's explained in the admin guide.

You just need to associate the AppSec instances with a role that provides access to the certificate on the certificate manager and the private key on the secret manager.