Sitecore Managed Cloud Standard (MCS) – PaaS 1.0 Setup WAF Service Request


Introduction

Sitecore Managed Cloud customers who want to protect their Sitecore application from common web vulnerabilities and attacks can raise a Setup Azure Application Gateway (AG) with Web Application Firewall (WAF) enabled Service Request. This article outlines what Managed Cloud customers need to know about the technical implementation of Azure Application Gateway (AG) and Web Application Firewall (WAF).

For more details on the Azure AG and WAF products and how they work to secure a Sitecore Content Delivery (CD) server, refer here.

Prerequisites

The following items MUST be included in the Service Request raised to the Managed Cloud support:

Limitation

Azure AG with WAF enabled is only applicable for Sitecore CD web app and is not compatible with Content Management (CM) servers. For further information see here.

Deployment And Timing

The following notes describe the timeframe and the overall process followed by the Sitecore Managed Cloud team in completing this Service Request:

  1. The AG + WAF enabled deployment takes about an hour. During this time, IP restrictions are configured on the Sitecore CD web app in Azure, so the CD will become unavailable by means of the direct endpoint such as the *.azurewebsites.net URL. Access becomes available only through a Public IP address.
    Customers can choose to opt out of the IP restriction by selecting Do not apply CD IP Restriction Configuration in the Service Request. This is exceptionally important if the site is live, and there is ongoing traffic.
  2. Immediately after the WAF service has been deployed, the customer must configure their DNS server to create the required records. DNS records on NS servers might take up to 72 hours to fully update, so the final configuration might require up to 3 days.
  3. The Managed Cloud support will coordinate a time window with the customer for the WAF deployment. The best practice is to set up the AG + WAF enabled well before an environment goes live to reduce the risk of downtime or the impact of any unforeseen complications. The Managed Cloud support requests 2 business days' notice to schedule the maintenance window.

Initial Configurations

The following are the changes and additional resources:

Post Setup

Scope Of Support

The Sitecore Managed Cloud team provides Limited Support for Managed Cloud Standard customers using the Azure AG + WAF enabled product with their Sitecore implementation. This Limited Support scope includes the Azure WAF component with Azure Application Gateway

Initial setup

 

Sitecore

Customer

Initial AG + WAF setup and integration with Sitecore CD role in standard Sitecore topologies.

R, A

C, I

Configure basic HTTP and HTTPS Listeners on initial setup.

R, A

C, I

Configure AG + WAF diagnostic setting to OMS.

R, A

C, I

Configure Prevention mode for the WAF on initial setup.

R, A

C, I

Configure default WAF settings such as rulesets, and policies on the initial setup.

R, A

C, I

Update Sitecore CD availability test to AG.

R, A

C, I

Troubleshooting Sitecore application challenges related to WAF.

R, A

C, I

 

Post Setup

 

Sitecore

Customer

Decide if WAF should be in Detection or Prevention mode based on the evaluation of AG logging and validation of all Sitecore CD functionality.

C, I

R, A

Troubleshooting Sitecore application challenges related to WAF [2].

C, I

R, A

Customize appropriate AG settings such as listeners, backed configurations.

C, I

R, A

DNS changes necessary to redirect from your Azure Sitecore CD to the new Public IP.

C, I

R, A

Adjust AG scale units according to capacity and needs.

C, I

R, A

Assistance with production incidents related to WAF [3].

C, I

R, A

Update Application Gateway certificate.

C, I

R, A

 

Note

Legend: