Requirements for Alert Logic Managed Web Application Firewall (WAF) for Microsoft Azure
United States firewall rules
Use the following rules to communicate with the US Data Center.
Appliance inbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| 204.110.218.96/27 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 204.110.219.96/27 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 208.71.209.32/27 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 204.110.218.96/27 | Appliance | TCP | 4849 | Appliance user interface |
| 204.110.219.96/27 | Appliance | TCP | 4849 | Appliance user interface |
| 208.71.209.32/27 | Appliance | TCP | 4849 | Appliance user interface |
| 204.110.218.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 204.110.219.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 208.71.209.32/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Appliance outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 204.110.218.96/27 | TCP | 443 | Data transport |
| Appliance | 204.110.219.96/27 | TCP | 443 | Data transport |
| Appliance | 204.110.218.96/27 | UDP | 123 | NTP (OpenBSD and CentOS only) |
| Appliance | 204.110.219.96/27 | UDP | 123 | NTP (OpenBSD and CentOS only) |
| Appliance | 0.0.0.0/0 | TCP | 443 | AWS S3 (AWS only) |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
European Union firewall rules
Use the following rules to communicate with the EU Data Center.
Appliance inbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| 185.54.124.0/24 | Appliance | TCP | 4849 | Appliance user interface |
| 185.54.124.0/24 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 185.54.124.0/24 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Appliance outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 185.54.124.0/24 | UDP | 123 | NTP (OpenBSD only) |
| Appliance | 0.0.0.0/0 | TCP | 443 | S3 access (optional for non-AWS) |
| Appliance | 185.54.124.0/24 | TCP | 443 | Data transport/software updates |
| Appliance | DNS Servers | TCP/UDP | 53 | DNS |
Virtual appliance requirements
The following information provides requirement information to install a Managed WAF virtual appliance in the Azure environment.
Virtual appliance
Use the following information to determine your virtual machine size requirements.
Throughput calculation
Use the following calculation to get the Managed WAF virtual appliance throughput requirements. The result of this calculation will provide you with the information you need to determine the correct instance type size to select during the installation procedure.
To calculate throughput requirements:
- Identify each virtual server that Managed WAF will protect.
- For the first virtual server to protect:
- Log in to the Microsoft Azure portal.
- Select Virtual Machines from the left navigation area.
- Click the virtual server name in the list.
- Click Monitor.
- Identify the Total utilization for Network In and Network Out.
- Add these numbers together. This is the networking utilization for the first virtual server.
- Complete these steps for each virtual server you want Managed WAF to protect.
- Once you have the total networking utilization calculated for each virtual server, add these numbers together. This is the estimated throughput requirement for your Managed WAF virtual appliance. Select your instance type size based on this calculation.
Instance type sizes
The following table shows the select compute instance types that Managed WAF runs in Microsoft Azure.
| Instance type | Cores | Memory (GB) |
WAF performance |
|---|---|---|---|
| Small (A1) | 1 | 1.75 | ~ 22 Mbps |
| Medium (A2) | 2 | 3.5 | ~ 47 Mbps |
| Large (A3) | 4 | 7 | ~ 94 Mbps |
| Extra Large (A4) | 8 | 14 | ~172 Mbps |
The actual web application firewall (WAF) performance for your deployment depends on factors such as request size, complexity, and the ratio of inbound to outbound traffic. The Small (A1) instance type provides about 22 Mbps and is primarily used for test deployments and low-traffic web applications.
Microsoft Azure endpoints
All virtual machines you create in Microsoft Azure use a private network channel to automatically communicate with other virtual machines in the same cloud service or virtual network. However, to allow inbound network traffic from Alert Logic, you must add endpoints and Access Control List (ACL) entries to your virtual machine.
For more information, see Microsoft's documentation about endpoints.
Managed WAF supports HTTP and HTTPS traffic on alternate ports. For simplicity, these instructions assume the default ports 80 and 443 for HTTP and HTTPS traffic.
Create the following endpoints and ACL entries for Managed WAF in Microsoft Azure.
| Endpoint | ACL entry | Protocol | Description |
|---|---|---|---|
| 22 | 204.110.219.96/27 | SSH | Secure shell (Alert Logic primary data center) |
| 22 | 204.110.218.96/27 | SSH | Secure shell (Alert Logic DR data center) |
| 4849 | 204.110.219.96/27 | HTTPS | Appliance management (Alert Logic primary data center) |
| 4849 | 204.110.218.96/27 | HTTPS | Appliance management (Alert Logic DR data center) |
| 443 | n/a | HTTPS | HTTPS traffic |
| 80 | n/a | HTTP | HTTP traffic |
Microsoft Azure virtual networks
Managed WAF appliances and Microsoft Azure web servers must be located in the same virtual network. Since each virtual network is run as an overlay, only virtual machines and services that are part of the same network can access each other. Services outside the virtual network have no way to identify or connect to services hosted within virtual networks, unless specific ACL entries are added for external Internet sources.
Geo-redundant replication
Enable Geo-redundant replication when you set up your Microsoft Azure environment for Managed WAF. With this option enabled, Microsoft Azure replicates your data to a secondary location within the same region. When you create, update, or delete data in your storage account, the transaction is fully replicated to the secondary location. In the event of a major disaster that affects the primary storage account location, Microsoft Azure first attempts to restore the primary location. If this is not possible, Microsoft Azure updates the storage account DNS name to point to the secondary location.
Traffic encryption
Managed WAF supports Secure Sockets Layer (SSL) end-to-end encryption (required for HIPAA compliance). If SSL encryption is required all the way to the backend server, Managed WAF needs to be configured to re-encrypt traffic before forwarding it to the server. This is easily done by selecting SSL both for inbound and outbound traffic when configuring the website in Managed WAF.
HTTPS support
To support multiple HTTPS websites on one instance, the Server Name Indication (SNI) option must be used, or you must use a wild-card certificate that covers all websites. Some older unsupported browsers such as Internet Explorer on Windows XP do not support SNI.
Operating system and browser support
The Alert Logic console supports the current version and the previous major version of the following operating systems and browsers:
| Operating system support | Browser support |
|---|---|
| Mac, Linux, and Windows | Chrome, Safari, Firefox, Opera, and Internet Explorer |
Alert Logic cannot guarantee that other browsers and versions will work with its products.
Related topics
