Deployment in Azure App Services

A convenient way to run CloudGuard WAF Docker is using Azure App Services providing:

Managed Docker Environment
Secure Certificate Store
Scalability

Prerequisites

When configuring CloudGuard WAF Docker Image in Azure App Service you will need to provide an Azure Integration Subnet (a new subnet in your VNet), that allow access to the protected asset.

To create an Azure Integration Subnet follow these steps:

Step 1: Login to portal.azure.com, and search for Virtual Networks

Step 2: Select the Virtual Network where the protected asset is residing

Step 3: From the menu on left choose Subnets

Step 4: Create a new Subnet

Name: enter a unique name for your subnet
Subnet address range: it is recommended to assign at least /24. For more details see Azure documentation.

Click Save

Configuration

Step 1: Obtain the registration token from CloudGuard WAF profile

Make sure you obtain the <token> from the Enforcement Profile page, Authentication section. you will need it during agent deployment.

Step 2: Log into App service in Azure

Step 3: Create a new Web App

Click on Create->Web App

Step 4: Fill "Basics" form details

Make sure to select under the Instance Details section:

Name: enter a uniuque instance name
Publish: choose Docker Container
Operating System: choose Linux
Region: choose relevant Region (where you application VNETs reside)

Pricing Plan: choose relevant Pricing Plan
- For Testing it is recommended to use Basic B3
- For Production it is recommended to use Premium V3 P1V3 (or stronger)
Zone Redundancy: Enable/Disable according to your needs

Click Next

Step 5: Fill "Docker" form details

Note - package file and folder names contain the name appsec - short for "Application Security" provided by CloudGuard WAF.

Make sure to select:

Options: select Single Container
Image Source: select Docker Hub
Access Type: select Public
Image and tag: checkpoint/cloudguard-appsec-standalone:latest
Startup Command: /cloudguard-appsec-standalone --token <token>

Note - The <token> is the token that was retrieved in step 1.

Click Next

Step 6: Fill "Networking" form details

In order to allow access to the virtual network with the protected assets, change Enable Network Injection to On and select the Virtual Network where the protected asset reside.

In the Outbound Access section, select the Outbound subnet to be the Integration Subnet that you created in the Prerequisites section of this page.

Click Review + Create or if you like to change some of the other defaults click Next

Step 7: Complete the Web App Deployment and verify an agent was connected successfully

Azure App Services will now launch the Docker image and it will connect to the Check Point Cloud. You will get a notification in the Infinity Portal.

Step 8: Certificates Configuration

Azure provides a variety of options to use a certificate. Browse to App Services, select the newly created CloudGuard App Service.

In the Overview Page, Properties Tab, click Add Custom Domain and in the next screen click again Add Custom Domain.

You can now choose among the various options. For example to have a Certificate issued automatically by Azure, select All other domain services, enter a domain name and follow the instructions.

Step 9: Auto-Scaling (Optional)

Azure App Services provides both Scale-up (more CPU/memory) and Scale-Out (additional instances) options. It is highly recommended to setup Scale-Out if you have a Production environment which is likely to grow or have traffic bursts.

To enable scaling Browse to App Services, select the newly created CloudGuard App Service and choose Scale-up or Scale-Out in the menu. See also Azure Documentation about Automatic Scaling.

Step 10: Health-check (Optional)

Azure App Services allow to check the health of an application. It increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy. It does that by accessing every minute a path of your web application of your choice.

To enable it, Browse to App Services, select the newly created CloudGuard App Service and choose Health-check in the menu. See also Azure Documentation about Health-check.

Troubleshooting For debugging purpose it is possible to activate an SSH server within the docker container by using the following parameters when running the docker. For security reasons, it is NOT recommended to use this option in production. --ssh-enable --ssh-user <username> --ssh-hash <hash>

The hash of you password can be calculated like this:

openssl passwd -6 -salt <user-salt> ClearTextPassword