Links

Microsoft Network ApplicationGateways

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Destination Authentication

Design Guidance:

Microsoft.Network/applicationGateways

Authentication Certificates
Terraform
Authentication Certificates-Data
Terraform
Authentication Certificates-Name
Terraform
Authentication Certificates-Id
Terraform
SSL Certificates
Terraform
SSL Certificates-Data
Terraform

Design for High Availability

Design Guidance:

Microsoft.Network/applicationGateways

Autoscale Configuration
Terraform
Autoscale Configuration-Max Capacity
Terraform
Autoscale Configuration-Min Capacity
Terraform
Probe-Id
Terraform
Backend HTTP Settings Collection-Probe Enabled
Terraform
Probes
Terraform
Probes-Host
Terraform
Probes-Interval
Terraform
Match-Status Codes
Terraform
Probes-Min Servers
Terraform
Probes-Name
Terraform
Probes-Path
Terraform
Probes-Timeout
Terraform
Probes-Unhealthy Threshold
Terraform
Zones
Terraform

Load Balancing

Design Guidance:

Microsoft.Network/applicationGateways

Backend Address Pools
Terraform
Backend Address Pools-Backend Addresses
Terraform
Backend Addresses-Fqdn
Terraform
Backend Addresses-Ip Address
Terraform
Backend Address Pools-Name
Terraform
Backend HTTP Settings Collection
Terraform
Backend HTTP Settings Collection-Name
Terraform
Backend HTTP Settings Collection-Port
Terraform

Session Binding

Design Guidance:

Microsoft.Network/applicationGateways

Backend HTTP Settings Collection-Affinity Cookie Name
Terraform
Backend HTTP Settings Collection-Cookie Based Affinity
Terraform

TLS

Design Guidance:

Microsoft.Network/applicationGateways

Backend HTTP Settings Collection-Protocol
Terraform
Probes-Protocol
Terraform
SSL Policy-Disabled SSL Protocols
Terraform
SSL Policy-Min Protocol Version
Terraform
Enable Fips
Terraform
SSL Policy-Cipher Suites
Terraform
SSL Policy-Policy Name
Terraform
SSL Policy-Policy Type
Terraform
SSL Policy
Terraform

Microsoft.Network/applicationGateways

HTTP Listeners-Host Name
Terraform
HTTP Listeners-Protocol
Terraform
HTTP Listeners-Require Server Name Indication
Terraform

Session Limits

Microsoft.Network/applicationGateways

Backend HTTP Settings Collection-Request Timeout
Terraform

Issue Keys from Trusted Authorities

Design Guidance:

Microsoft.Network/applicationGateways

Trusted Root Certificates-Id
Terraform
Trusted Root Certificates
Terraform
Trusted Root Certificates-Data
Terraform
Trusted Root Certificates-Key Vault Secret Id
Terraform
Trusted Root Certificates-Name
Terraform

Microsoft.Network/applicationGateways

SSL Certificate-Id
Terraform

Subnet Isolation

Design Guidance:

Microsoft.Network/applicationGateways

Frontend Ipconfigurations
Terraform
Frontend Ipconfigurations-Name
Terraform
Frontend Ipconfigurations-Private Ipallocation Method
Terraform
Public Ipaddress-Id
Terraform

Deny-all Communications and Only Allow-by-Exception

Design Guidance:

Microsoft.Network/applicationGateways

Frontend Ports-Port
Terraform

Redirect To TLS

Design Guidance:

Microsoft.Network/applicationGateways

Redirect Configurations
Terraform
Redirect Configurations-Include Path
Terraform
Redirect Configurations-Include Query String
Terraform
Redirect Configurations-Redirect Type
Terraform
Target Listener-Id
Terraform
Redirect Configurations-Target Url
Terraform

Protect Cryptographic Keys

Design Guidance:

Microsoft.Network/applicationGateways

SSL Certificates-Key Vault Secret Id
Terraform
SSL Certificates-Name
Terraform
SSL Certificates-Password
Terraform

Asset Inventory

Design Guidance:

Microsoft.Network/applicationGateways

Microsoft.Network/applicationGateways


Configure Connection Draining

Design Guidance:

Microsoft.Network/applicationGateways

Connection Draining-Drain Timeout In Sec
Terraform
Connection Draining-Enabled
Terraform

Firewalls

Design Guidance:

Microsoft.Network/applicationGateways

Firewall Policy-Id
Terraform

Microsoft.Network/applicationGateways

Firewall Policy-Id
Terraform

Payload Inspection

Microsoft.Network/applicationGateways

Web Application Firewall Configuration
Terraform
Web Application Firewall Configuration-Enabled
Terraform
Web Application Firewall Configuration-Firewall Mode
Terraform
Web Application Firewall Configuration-Rule Set Type
Terraform
Web Application Firewall Configuration-Rule Set Version
Terraform

Input Validation

Design Guidance:

Microsoft.Network/applicationGateways

Web Application Firewall Configuration-File Upload Limit In Mb
Terraform
Web Application Firewall Configuration-Max Request Body Size In Kb
Terraform
Web Application Firewall Configuration-Request Body Check
Terraform

Design for Minimum Necessary Information Flows

Microsoft.Network/applicationGateways

HTTP Listeners
Terraform
Frontend Ipconfiguration-Id
Terraform
Frontend Port-Id
Terraform