NGINX Full Version

Securing Applications in Microsoft Azure App Service with NGINX Plus

The rise of cloud computing – and Platform as a Service (PaaS) and Container as a Service (CaaS) offerings in particular – is changing the way companies deploy and operate their business applications. One of the most important challenges when designing cloud applications is choosing fully managed cloud services that reduce costs and time‑consuming operational tasks without compromising security.

This blog post shows you how to host applications on Microsoft Azure App Service and secure them with NGINX Plus to prevent attacks from the Internet.

Brief Overview of Microsoft Azure App Service

Microsoft Azure App Service is an enterprise‑grade and fully managed platform that allows organizations to deploy web, API, and mobile apps in Microsoft Azure without managing the underlying infrastructure, as shown in Figure 1. Azure App Service provides the following main features:

Figure 1: Azure App Service

With Azure App Service, Microsoft provides a rich and fast way to run web applications on the cloud. Indeed, developers can develop their applications locally using ASP.NET, Java, Node.js, PHP, and Python and easily deploy them to Azure App Service with Microsoft Visual Studio or the Azure CLI. DevOps teams can also benefit from Azure App Service’s continuous deployment feature to deploy application releases quickly and reliably on multiple environments.

Applications on Azure App Service can access other resources deployed on Azure or can establish connections over VPNs to on‑premises corporate resources.

Understanding Azure App Service Environments

Basically, an application created with Azure App Service is exposed directly to the Internet and assigned to a subdomain of For more security, you can protect your app with SSL termination, or with authentication and authorization protocols such as OAuth2 or OpenID Connect (OIDC). However, it is not possible to customize the network with fine‑grained outbound and inbound security rules or apply middleware such as a web application firewall (WAF) to prevent malicious attacks or exploits that come from the Internet.

If you run sensitive applications in Azure App Service and want to protect them, you can use Azure App Service Environments (ASEs). An ASE is an isolated environment deployed into a virtual network and dedicated to a single customer’s applications. Thus, you gain more control over inbound and outbound application network traffic.

With ASEs you can deploy web, API, mobile, or functions apps inside a more secure environment at very high scale, as shown in Figure 2.

Figure 2: NGINX ModSecurity WAF filtering traffic for an Azure ASE

Creating a New ASE v2

There are two versions of the ASE: ASE v1 and ASE v2. In this post we’re discussing ASE v2.

You can create a new ASE v2 manually by using the Azure Portal, or automatically by using Azure Resource Manager.

When creating a new ASE, you have to choose between two deployment types:

In the following example, we’re choosing an ILB ASE to prevent access from the Internet. Thus, applications deployed in our ASE are accessible only from virtual machines (VMs) running in the same network. The following two commands use Azure Resource Manager and the Azure CLI to provision a new ILB ASE v2:

$ azure config mode arm
$ azure group deployment create my-resource-group my-deployment-name --template-uri

Securing Access to Apps in a Publicly Accessible ASE

If, on the other hand, you want your app to be reachable from the Internet, you have to protect it against malicious attackers that might attempt to steal sensitive information stored in your application.

To secure applications at Layer 7 in an ASE, you have two main choices:

(You can substitute a custom application delivery controller [ADC] with WAF capabilities, but we don’t cover that use case here.)

The choice of solution depends on your security constraints. On one hand, Azure Application Gateway provides a turnkey solution for security enforcement and doesn’t require you to maintain the underlying infrastructure. On the other hand, deploying NGINX Plus on VMs gives you a powerful stack with more control and flexibility to fine‑tune your security rules.

Choosing between Azure Application Gateway and NGINX Plus to load balance and secure applications created inside an ASE requires a good understanding of the features provided by each solution. While Azure Application Gateway works for simple use cases, for complex use cases it does not provide many features that come standard in NGINX Plus.

The following table compares support for load‑balancing and security features in Azure Application Gateway and NGINX Plus. More details about NGINX Plus features appear below the table.

Feature Azure Application Gateway NGINX Plus
Mitigation capability Application layer (Layer 7) Application layer (Layer 7)
SSL offloading
Routing capabilities Simple decision based on request URL or cookie‑based session affinity Advanced routing capabilities
IP address-based access control lists ❌ (must be defined at the web-app level in Azure)
Endpoints Any Azure internal IP address, public Internet IP address, Azure VM, or Azure Cloud Service Any Azure internal IP address, public Internet IP address, Azure VM, or Azure Cloud Service
Azure Vnet support Both Internet‑facing and internal (Vnet) applications Both Internet‑facing and internal (Vnet) applications
Volumetric attacks Partial Partial
Protocol attacks Partial Partial
Application-layer attacks
HTTP Basic Authentication
JWT authentication
OpenID Connect SSO

As you can see, NGINX Plus and Azure Application Gateway both act as ADCs with Layer 7 load‑balancing features plus a WAF to ensure strong protection against common web vulnerabilities and exploits.

NGINX Plus provides several additional features missing from Azure Application Gateway:

For additional security, you can deploy Azure DDoS Protection to mitigate threats at Layers 3 and 4, complementing the Layer 7 threat‑mitigation features provided by Azure Application Gateway or NGINX Plus.

Using NGINX Plus with Azure App Service to Secure Applications

Figure 3 shows how to combine NGINX Plus and Azure App Service to provide a secure environment for running business applications in production. This deployment strategy uses NGINX Plus for its load balancing and WAF features.

Figure 3: NGINX Plus load balances traffic to applications in an Azure ASE

The deployment combines the following components:

Azure also supports resource groups as an easy way to group the Azure resources for an application in a logical manner. Using a resource group has no impact on infrastructure design and topology, and we don’t show them here.

NGINX Plus High Availability and Autoscaling with Azure VM Scale Sets

An Azure VM scale set gives you the power of virtualization with the ability to scale at any time without having to buy and maintain the physical hardware that supports scaling. However, you are still responsible for maintaining the VM by performing tasks such as configuring, patching, security updating, and installing the software that runs on it.

In the architecture shown in Figure 4, NGINX Plus instances are deployed for active‑active high availability inside an Azure VM scale set. An active‑active setup is great because all of the NGINX Plus VMs can handle an incoming request routed by Azure Load Balancer, giving you cost‑efficient capacity.

Figure 4: Azure VM scale set with Azure Load Balancer load balancing traffic to NGINX Plus

With Azure VM scale sets, you can also easily set up autoscaling of NGINX Plus instances based on average CPU usage. You need to take care to synchronize the NGINX Plus config files in this case. You can use the NGINX Plus configuration sharing feature for this purpose, as described in the NGINX Plus Admin Guide.


By using Azure App Service for your cloud applications and NGINX Plus in front of your web apps, API, and mobile backends, you can load balance and secure these applications at a global scale. By using NGINX Plus in conjunction with Azure App Service, you get a fully load‑balanced infrastructure with a high level of protection against exploits and attacks from the web. This ensures a robust design to run critical applications in production in a secure way.


Web Apps overview (Microsoft)
Introduction to the App Service Environments (Microsoft)
Create an application gateway with a web application firewall using the Azure portal (Microsoft)
Compare features in NGINX Open Source and NGINX Plus (NGINX)
HTTP Load Balancing (NGINX)

Guest co‑author Cedric Derue is a Solution Architect and Microsoft MVP at Altran. Guest co‑author Vincent Thavonekham is Microsoft Regional Director and Azure MVP at VISEO.

Exit mobile version