What is Azure Web Application Firewall (WAF)?

Azure Web Application Firewall (WAF) filters, monitors, and blocks HTTP traffic. It uses Open Web Application Security Project® (OWASP) rules to protect your application. It also provides centralized protection to web applications from common exploits and vulnerabilities and protects against threats and intrusions.

Supported Services

We have three different options to create a WAF in Azure:

  • Azure Front Door: Global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.
  • Azure Content Delivery Network (CDN): Global CDN solution for delivering high-bandwidth content. It can be hosted in Azure or any other location.
  • Azure Application Gateway: Web traffic load balancer that enables you to manage traffic to your web applications.

Azure Front Door

Azure Front Door provides centralized protection for our web applications. It prevents malicious attacks close to the attack sources before they enter your virtual network.

As shown in the below image, we placed WAF at Azure network edge locations. It will inspect every incoming traffic, so it will prevent malicious attacks from entering the virtual network.

Global WAF Policy
Reference – https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview

Azure Content Delivery Network (CDN) Service from Microsoft

Azure Content Delivery Network (CDN) provides a global and centralized solution for our web content. It will reduce load times, bandwidth, and speed responsiveness of the application.

As shown in the image, WAF deployed on Azure network edge locations around the globe. A WAF policy easily links to any CDN endpoint in your subscription. New rules can be deployed within minutes and respond quickly to changing threat patterns.

Content Delivery Network
Reference – https://docs.microsoft.com/en-us/azure/web-application-firewall/cdn/cdn-overview

Azure Application Gateway WAF

Application security is strengthened by WAF integration into Application Gateway. Protect your web applications from web vulnerabilities and attacks without modification to back-end code. We can protect multiple web applications at the same time. An instance of Application Gateway can host up to 40 websites protected by a web application firewall. In addition, we can custom WAF policies for different sites behind the same WAF. As shown below, we can also Protect our web applications from malicious bots and XSS attacks, SQL Injection, and other vulnerabilities by using Application Gateway WAF.

Application Gateway
Reference – https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

WAF Modes

WAF policy can be configured to run in the following two modes:

  • Detection mode: When running in detection mode, WAF doesn’t take any actions other than monitoring and logs the request and its matched WAF rule to WAF logs.
  • Prevention mode: In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with lower priority are evaluated. Any matched requests are also logged in the WAF logs.

WAF Policy and Rules

WAF policy consists of two types of security rules:

  • Custom rules that are authored by the customer
  • Managed rule sets that are a collection of Azure-managed pre-configured set of rules

Custom rules are reviewed before processing the rules in a managed rule set. A rule is made of a match condition, a priority, and action. If such a match is processed, rules with lower priorities aren’t processed. We can create rules that meet our requirements by combining managed and custom rules. For example, we can configure custom rules based on IP address, Geographical location, HTTP parameters, size constraint, rate limiting.

WAF Actions

WAF customers can choose to run from one of the actions when a request matches a rule’s conditions:

  • Allow: Request passes through the WAF and is forwarded to the back-end. No further lower priority rules can block this request.
  • Block: The request is blocked, and WAF responds to the client without forwarding the request to the back end.
  • Log: Request is logged in the WAF logs, and WAF continues evaluating lower priority rules.
  • Redirect: WAF redirects the request to the specified URI. The URI specified it is a policy-level setting. Once configured, all requests that match the Redirect action will be sent to that URI.

WAF Monitoring

Monitoring the health of your WAF and the applications that it protects is supported by integration with Azure Security Center, Azure Sentinel, and Azure Monitor logs. WAF instances are integrated and send alerts and health information to Security Center for reporting. Azure Monitor allows us to track diagnostic information, including WAF alerts and logs.

Monitor and track diagnostics
Reference – https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

How To Deploy Azure Web Application Firewall (WAF) with Azure Application Gateway

  1. Create WAF Policy to configure the firewall. Search Web Application Firewall Policy click and Add policy. Then we need to select the type of WAF, Resource Group, Policy Name, and state.
    Basics of creating WAF Policy
    Reference – https://docs.microsoft.com/en-us/azure/web-application-firewall/cdn/waf-cdn-create-portal
  2. Select Prevent or Detect mode based on the requirement.
  3. We can configure a custom rules section to match the rule and rate limit rules. As shown in the image below, we can limit the threshold value and duration.
  4. Review your settings, then create!
Adding rate limit rule to match
Reference – https://docs.microsoft.com/en-us/azure/web-application-firewall/cdn/waf-cdn-create-portal


All organizations are exposed to a variety of malicious attacks. To protect from such, we can use Azure WAF to protect the application even from the most sophisticated threats before they reach your servers. To learn more, check out Microsoft documentation on Azure WAF or reach out to AIS.

Your cloud adoption efforts require sound security, compliance, and governance. It is our mission to make those requirements a reality. Contact AIS about our Security and Compliance Consulting Services.

Microsoft affirms its commitment to the Java ecosystem by offering open-source distribution of Java with the Microsoft Build of OpenJDK™. It’s a no-cost, Long-Term Support (LTS) distribution of OpenJDK currently available for preview.

The preview build includes the binaries for Java 11 available on x64 server and desktop environments on Windows, macOS, and Linux. An early-access release for Java 16 is available for Windows on ARM. Microsoft is currently collecting feedback on the packing and installer of the build on various platforms from the users of the preview build and aims to release the GA build by the end of 2021.

Why Microsoft is Offering JDK Distribution?

Microsoft has been deeply involved in the Java ecosystem by offering Java tools for Visual Studio Code, supporting Java on Azure, running several internal platforms, and some Azure infrastructure services on Java Virtual Machine (JVM). Microsoft runs more than 500,000 JVMs internally, excluding all Azure services and customer workloads. Azure has experienced significant growth in Java workloads through Azure Spring Cloud, Azure App Service, Azure Functions, and Azure Kubernetes Service. LinkedIn, Minecraft, and Yammer are examples of major internal platforms run on Java.

Below are few critical triggers outside the rise of internal JVM workloads for Microsoft to jump into OpenJDK distribution:

  • Cost reduction: Java support costs on Azure cloud can be reduced by avoiding commercial licenses for Java. It helps to reduce the overall Azure subscription costs by removing the cost passed to other vendors for JDK licenses.
  • Security & performance improvement: The build may contain backported fixes and enhancements for security and performance, which may not have formally backported upstream.
  • Support Java devs: Part of Microsoft’s dedication to better support Java developers on Azure.
  • Become a leader in providing toolkits for the open-source community: Microsoft has been a sponsor and contributor to the Java open-source community through AdoptOpenJDK projects since 2018, and has contributed to OpenJDK by providing more than 50 patches for OpenJDK in the last 18 months, which includes resolutions for issues in macOS packaging, build, infrastructure, and garbage collection.

Benefits to Java Developers on Azure

  • Multi-OS Support: Windows, macOS, and Linux
  • Multi-Environment Support: cloud, local data centers, and user development environments
  • Free to Use: the Microsoft Build of OpenJDK is at no cost to use.
  • Backed by Microsoft: This is backed by the promise of Microsoft. Many backported fixes and enhancements are recommended by Microsoft that may not be available in upstream OpenJDK implementations.
  • Ease of Migration: Smooth and transparent transition for existing workloads.


  • Docker image is not available at this point
  • Medium-term support releases of OpenJDK are not supported
  • No API available to access the binary distribution
  • No ARM-based macOS binary at this point

How to Install on Windows

The packages and installer for Microsoft’s OpenJDK preview build are available at https://www.microsoft.com/openjdk#11. Azure customers can try out the preview using Azure Cloud Shell too.

Download the package on the platform of your choice and confirm the Java version. For Windows, the installer takes care of the default location and setting PATH and JAVA_HOME environment variables.

Microsoft Build of OpenJDK on Windows 10

Picture 1: Microsoft Build of OpenJDK on Windows 10
A build of Open JDK 11 is already available in the Azure Cloud Shell; developers can use it with Shell.

Microsoft Build of OpenJDK on Azure Cloud Shell

Picture 2: Microsoft Build of OpenJDK on Azure Cloud Shell

We expect more enterprise organizations modernizing Java on Azure with increased support and options from Microsoft. This is welcome news to organizations with a large investment in Java and has experienced a large increase in the cost of legacy Java workloads. Need a partner to accelerate your modernization journey? Reach out to AIS today.


Azure Spring Cloud logoSpring Framework is one of the most popular frameworks for application development using Java. Spring Boot is one of the top modules of Spring Framework, which is widely used to build enterprise-grade highly scalable backend applications. Spring Boot is very popular to develop microservices using open-source technologies, and its Pivotal Team develops it.

Microsoft and Pivotal/VMware build and operate Azure Spring Cloud, a native Azure service offered as Platform as a Service (PaaS) and available on Azure Marketplace.

Why Use Azure Spring Cloud?

There are many benefits in deploying an application to Azure Spring Cloud

  • Spring Boot framework helps to reduce the overall application development time.
  • Azure Spring Cloud further accelerates and simplifies infrastructure management needed for hosting Spring Boot applications.
  • It’s easy to deploy existing Spring Boot applications without code changes.
  • For new development, the managed environment provides infrastructure services such as Eureka, Config Server, Service Registry Server, and blue-green deployment. There is no need to create, deploy or manage services that can provide these functionalities.
  • Develop and deploy rapidly without containerization dependencies.
  • It is easy to bind applications with other Azure services such as Azure Cosmos DB, Azure Database for MySQL, and Azure Cache for Redis.
  • Monitor production workload efficiently and effortlessly.
  • Provides security features to manage secrets.
  • Supports hybrid deployment.
  • Easily control ingress and egress to the app.
  • Scalable global infrastructure
  • Automatically wire apps with Spring Cloud infrastructure

Azure Service Overview

Azure Spring Cloud offers first-class support for Spring tools, and it quickly binds to other Azure services, including storage, database, monitoring, etc.

Azure Service Overview
Picture 1 – Azure Spring Cloud-Service Overview

Reference – https://docs.microsoft.com/en-us/azure/spring-cloud/media/spring-cloud-principles/azure-spring-cloud-overview.png

Service Tiers and Limits
Azure Spring Cloud offers Basic and Standard tiers and set default limits and quotas. Some default limits can be increased vis a support ticket.

Tiers for Azure Spring Cloud
Table 1 – Quotas and limits

Java, Spring Boot, and Spring Cloud Versions

  • Azure Spring Cloud hosting environment contains the latest Azul Zulu OpenJDK version for Azure, and it supports Java 8 and Java 11.
  • The minimum Spring Boot version needed for Azure Spring Cloud is either Spring Boot version 2.1 or version 2.2

The following table lists the supported Spring Boot and Spring Cloud combinations:

Spring Boot vs. Spring Cloud
Table 2 – Java and Spring supported versions

Azure Spring Cloud Setup

In this review, the application to get weather details of cities is decomposed into three microservices to explain the capabilities of Azure Spring Cloud. It includes a gateway service and two microservices for city and weather details, respectively. Microservices talk to each other to retrieve weather details of cities. Various Azure infrastructure services used in the sample app are mentioned in respective sections of this document. Below are the details of microservices:

  • A gateway microservice based on Spring Cloud Gateway: gateway application
  • A reactive microservice that stores its data on Cosmos DB: city-service application
  • A microservice that stores its data on MySQL: weather-service application
Azure Spring Cloud Instance with Microservices
Picture 2 – Azure Spring Cloud Instance with microservices deployed on Azure Portal

Deploying Spring Boot applications into Azure Spring Cloud includes the general steps below:

  • Create an Azure Spring Cloud instance through Azure Portal or using CLI, if not already created.
  • Add the Azure Spring Cloud extension by running the following command: az extension add -n spring-cloud -y
  • Build Spring Boot application locally; mvn clean package
  • Create a new Azure Spring Cloud app within your Azure Spring Cloud instance: az spring-cloud app create -n {my-app}
  • Deploy the app to Azure Spring Cloud: az spring-cloud app deploy -n {my-app} –jar-path target/my-app.jar

Deploy a sample application to Azure Spring Cloud

Below are high-level steps to create and deploy a sample application on Azure Spring Cloud using Azure portal:

  • Look for your Azure Spring Cloud instance in your resource group
  • Click on the “Apps” link under “Settings” on the navigation sidebar.
  • Click on the “Create App” link at the top of the Apps page.
  • Create a new application named “simple-microservice.”
Sample application deployed view
Picture 3 – Sample application deployed view on Azure Portal
Sample application
Picture 4 – Sample application access response on browser

Key offerings from Azure Spring Cloud

Spring Cloud Config Server

Multiple microservices can use the same Spring Cloud Service Config Server, which is pre-configured and managed. It uses a pluggable repository that currently supports local storage, Git, and Subversion. Spring Cloud Config is used here to inject settings from a Git repository into the application and display it on the screen.

Below are steps to enable Azure Spring Cloud to create a configuration server with the configuration files from a public git repository – https://github.com/Azure-Samples/spring-cloud-sample-public-config.git

Note: A public git repository is used for example purposes only.

  • Go to the Azure portal.
  • Go to the overview page of your Azure Spring Cloud server and select “Config server” in the menu
  • Set the repository URL: https://github.com/Azure-Samples/spring-cloud-sample-public-config.git
  • Click on “Validate” and wait for the operation to succeed
  • Click on “Apply” and wait for the operation to succeed
Azure Spring Cloud Config Server
Picture 5 – Settings to configure Config Server

Log Streaming and Analytics

Log Analytics is part of Azure Monitor, and it’s integrated into Azure Spring Cloud. Azure Spring Cloud offers logs/metrics collection and storage relying on Log Analytics, Azure Storage, or Azure Event Hubs.

The following are steps to configure the Azure Spring Cloud instance to send its logs to the Log Analytics workspace:

  • Create Log Analytics workspace named sclab-la-hqd2ksd3p6z3g

Configure the log analytics workspace for the Azure Spring Cloud instance:

Azure spring cloud lab arunm
Picture 6 – Settings to configure log data collection

The workspace allows running queries on the aggregated logs. Below is a screenshot of querying logs using Azure Portal.

Log Access view on Azure Portal
Picture 7 – Log access view on Azure Portal

Distributed Tracing

Azure Spring Cloud provides the capability to view Application Map, which completely relies on Azure Application Insights. It provides a detailed view of how components interact with each other and the ability to trace requests. This helps to quickly visualize how applications are performing, as well as detect and diagnose issues across microservices.

Application Map on Azure Application Insights
Picture 8 – Example of an Application Map on Azure Application Insights

Performance Metrics

Azure Spring Cloud provides out-of-the-box capabilities to review application performance metrics.

Performance dashboard on Azure Portal
Picture 9 – Example of a Performance dashboard on Azure Portal

Application Scaling

The application can be scaled out quickly based on insights from distributed tracing. Both manual scaling and auto-scaling options are available. An application can easily be configured to scale up Azure Spring Cloud app resources as needed through the Azure Portal or via equivalent Azure CLI commands.

Microsoft Azure Portal application scaling
Picture 10 – Application scaling setting example
Autoscale Settings in Azure Portal
Picture 11 – Application autoscaling settings screen

Blue-Green Deployment

The blue-green deployment pattern allows testing the latest application changes on production infrastructure without exposing the changes to consumers until your testing is complete. Refer to this documentation to set up a staging environment in Azure Spring Cloud.


Azure Spring Cloud is an excellent service to quickly build, deploy and maintain Spring Boot applications securely in the cloud with minimal efforts and a rich set of application monitoring and alerting features.

In summary, Azure Spring Cloud provides the below benefits:

  • Easy and simple development approaches
  • Less infrastructure to manage
  • High availability with b/g deployment
  • A secure network
  • Elastic and scalable infrastructure
  • Highly automated environment

Known Limitations

  • Azure portal and ARM templates do not support uploading application packages.
  • Server.port default to port 1025; other values will be overridden.
  • Spring.application.name will be overridden by the application name that’s used to create each application.
  • The latest version of Java is not supported. Azure Spring Cloud supports Java 8 and 11.
  • Spring Boot 2.4.x application has a known TLS authentication issue with Eureka.
  • Service binding currently supports only limited services; Cosmos DB, Azure DB for MySQL, and Azure Cache for Redis are currently supported.


In a previous blog post, we discussed a quick overview of Continuous Integration and Deployment of .NET applications using Visual Studio Team Services (VSTS). This involved building and deploying regular old .NET applications with VSTS—something that we would definitely expect a Microsoft service to handle. However, there is some lesser-known support that VSTS has for other frameworks, including Java. The Microsoft VSTS website even has a portal page proclaiming their Java support: “Love Java? So do we!

VSTS support for Java build frameworks such as Maven and Ant came in handy for AIS recently, as we were tasked with developing some new features for an older Java desktop application for a federal client. And I will have to say that all of the VSTS tools for Java applications worked flawlessly. We were able to easily add the Java project source code to a Team Foundation Version Control (TFVC) repository hosted online in VSTS. Oracle even has an extension for integrating with a TFVC workspace—allowing us to check in changes right from the JDeveloper IDE. Read More…

Given the widespread use of the Android operating system running on today’s mobile platforms, Android development has become an excellent choice for enhancing a developer’s skill set. Fortunately for the seasoned .NET developer, learning Android development is not a huge stretch. While there are several avenues for .NET developers looking to break into the world of Android application development, currently the most popular options are made possible by utilizing any of the following technologies:

  • Xamarin platform
  • PhoneGap framework
  • Native Android development via Java

The Xamarin platform provides the ability for .NET developers to harness their C# knowledge, create cross-platform (iOS, Android and Windows) applications, reuse existing code and perform development within Visual Studio. The greatest advantage of utilizing the Xamarin platform is a reduced time to market while supporting multiple platforms. However, due to the additional Xamarin runtime contained within the final application, the footprint tends to be larger — this could be an issue, especially for some Android devices.

The PhoneGap framework is another option for writing Android applications.  The PhoneGap framework is a client-side web application comprised of HTML5 pages using CSS and JavaScript. While it’s possible to utilize Visual Studio to code and test the application, ultimately the code will need to be packaged into a real Android application. This will require an IDE such as Eclipse or JetBrains’s IntelliJ IDEA.  The PhoneGap Build service may also be used to accomplish the application packaging. While the PhoneGap approach will provide multiple platform support, the application type should be given consideration because the PhoneGap framework relies on JavaScript, which may have performance limitations compared with native Java Android applications.

While Xamarin and PhoneGap certainly have their merits for creating Android applications, native Android development via Java provides an opportunity to take advantage of a device’s full feature set with fast execution, all wrapped in a smaller package for more rapid downloads. For a complete discussion of the various mobile platforms’ benefits/drawbacks, please read Eric Svendsen’s excellent article where he provides plenty of depth on the issue.  For now, the remaining content of this post will be to provide valuable insight for .NET developers looking to expand their language set by utilizing native Java for Android development. Read More…