# Deployment in Azure App Services

A convenient way to run CloudGuard WAF Docker is using Azure App Services providing:

* Managed Docker Environment
* Secure Certificate Store
* Scalability

### Prerequisites

When configuring CloudGuard WAF Docker Image in Azure App Service you will need to provide an [Azure Integration Subnet ](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration)(a new subnet in your VNet), that allow access to the protected asset.

<figure><img src="/files/APLQdmWPsAwwSMYP6Ky3" alt=""><figcaption></figcaption></figure>

To create an Azure Integration Subnet follow these steps:

**Step 1:** Login to [portal.azure.com](https://portal.azure.com), and search for Virtual Networks

**Step 2:** Select the Virtual Network where the protected asset is residing

**Step 3:** From the menu on left choose **Subnets**

![](/files/6RelwRC2c8BXHb0JUess)

**Step 4:** Create a new Subnet

* **Name**: enter a unique name for your subnet
* **Subnet address range**: it is recommended to assign at least /24. For more details see [Azure documentation](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration).

Click **Save**

### Configuration

#### Step 1: Obtain the registration token from CloudGuard WAF profile

{% hint style="info" %}
Make sure you obtain the \<token> from the [Enforcement **Profile**](/getting-started/deploy-enforcement-point.md) page, **Authentication** section. you will need it during agent deployment.

![](/files/tAyti9aG3utyFHls2McN)
{% endhint %}

#### Step 2: Log into App service in Azure

Login to [portal.azure.com](https://portal.azure.com), and search for App Services.

#### Step 3: Create a new Web App

Click on Create->Web App

<figure><img src="/files/UJ2X7ExL8nkmDZcgN45J" alt=""><figcaption></figcaption></figure>

#### Step 4: Fill "Basics" form details

Make sure to select under the **Instance Details** section:

* **Name:** enter a uniuque instance name
* **Publish:** choose **Docker Container**
* **Operating System:** choose **Linux**
* **Region:** choose relevant **Region** (where you application VNETs reside)

<figure><img src="/files/FpU4ZP5inSWOzzSbcqr8" alt=""><figcaption></figcaption></figure>

* **Pricing Plan:** choose relevant Pricing Plan
  * For Testing it is recommended to use **Basic B3**
  * For Production it is recommended to use **Premium V3 P1V3** (or stronger)
* **Zone Redundancy**: Enable/Disable according to your needs

Click **Next**

#### Step 5: Fill "Docker" form details

**Note** - package file and folder names contain the name appsec - short for "Application Security" provided by CloudGuard WAF.

Make sure to select:

* **Options:**  select **Single Container**
* **Image Source:** select **Docker Hub**
* **Access Type:**  select **Public**
* **Image and tag:** **`checkpoint/cloudguard-appsec-standalone:latest`**
* **Startup Command: `/cloudguard-appsec-standalone --token <token>`**

**Note** - The \<token> is the token that was retrieved in step 1.

<figure><img src="/files/S0KC2Kmm7CDmYYjlEGhG" alt=""><figcaption></figcaption></figure>

Click **Next**

#### **Step 6:**  Fill "Networking" form details

In order to allow access to the virtual network with the protected assets, change **Enable Network Injection** to **On** and select the **Virtual Network** where the protected asset reside.

<figure><img src="/files/frtEzlaR1LRmjhOmUiTh" alt=""><figcaption></figcaption></figure>

In the **Outbound Access** section, select the **Outbound subnet** to be the Integration Subnet that you created in the Prerequisites section of this page.

<figure><img src="/files/RVwHw3qQEYzybuRRJ2Ef" alt=""><figcaption></figcaption></figure>

Click **Review + Create** or if you like to change some of the other defaults click **Next**&#x20;

#### Step 7: Complete the Web App Deployment and verify an agent was connected successfully

Azure App Services will now launch the Docker image and it will connect to the Check Point Cloud. You will get a notification in the Infinity Portal.

<figure><img src="/files/B5QRYAp16foZFHtumQU3" alt=""><figcaption></figcaption></figure>

#### Step 8: Certificates Configuration&#x20;

Azure provides a variety of options to use a certificate. Browse to **App Services**, select the newly created CloudGuard App Service.

In the **Overview** Page, **Properties** Tab, click **Add Custom Domain** and in the next screen click again **Add Custom Domain**.

You can now choose among the various options. For example to have a Certificate issued automatically by Azure, select **All other domain services,** enter a domain name and follow the instructions.&#x20;

**Step 9:  Auto-Scaling (Optional)**

Azure App Services provides both **Scale-up** (more CPU/memory) and **Scale-Out** (additional instances) options. It is highly recommended to setup Scale-Out if you have a Production environment which is likely to grow or have traffic bursts.

To enable scaling Browse to **App Services**, select the newly created CloudGuard App Service and choose **Scale-up** or **Scale-Out** in the menu. See also [Azure Documentation about Automatic Scaling](https://learn.microsoft.com/en-us/azure/app-service/manage-automatic-scaling?tabs=azure-portal).

**Step 10:  Health-check (Optional)**

Azure App Services allow to check the health of an application. It increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy. It does that by accessing every minute a path of your web application of your choice.

To enable it, Browse to **App Services**, select the newly created CloudGuard App Service and choose Health-check in the menu. [See also Azure Documentation about Health-check](https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check?tabs=dotnet).

<figure><img src="/files/CWvLUAluSKyiFM0nE1P2" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Troubleshooting**\
\
For debugging purpose it is possible to activate an SSH server within the docker container by using the following parameters when running the docker. **For security reasons, it is  NOT recommended to use this option in production.**\
\
`--ssh-enable --ssh-user <username> --ssh-hash <hash>`<br>

The hash of you password can be calculated like this:

*`openssl passwd -6 -salt <user-salt> ClearTextPassword`*

1. *-6 indicates SHA-512*
2. \<user-salt> is to randomize the encryption<br>

Note: Azure App Services allows access to the dockers via SSH, but requires that the username must be: **root** and the password must be **Docker!**
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/docker/single-docker/deployment-in-azure-app-services.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.