Azure Security Design to Prevent Attacks — Use cases

Gopi Narayanaswamy
5 min readNov 20, 2021


In this article, I am going to walk through few use cases to protect Azure cloud environment by security design and enabling features available with Azure. I also explained in details of attacks like DDOS, XSS and SQL injection and how to prevent in Azure cloud environment with the 3 use cases

Use Case 1: DDoS Attack on a Web Application hosted on a Virtual Machine

In the above use case customer deployed web application in Azure VM running on public subnet

What is DDoS attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

How to mitigate above scenario?

Host the VM inside an Azure VNet with DDoS switch enabled. By enabling the DDOS mode in VNet, we can prevent DDOS attacks in Azure and below are the details about Azure DDoS.

Azure DDoS Protection

  • Allows you to protect your Azure resources from denial of service (DoS) attacks.
  • DDoS protection (layers 3 and 4) offers two service tiers: Basic and Standard.



  • Enabled by default (free).
  • It mitigates common network attacks.
  • Both basic and standard protects IPv4 and IPv6 public IP addresses.


  • It has advanced capabilities to protect you against network attacks such as logging, alerting, and telemetry.
  • Mitigates the following attacks:
  • Volumetric attacks — flood the network layer with attacks.
  • Protocol attacks — exploit a weakness in layers 3 and 4.
  • Resource layer attacks — a layer 7 attack that disrupts the transmission of data between hosts.
  • Enables you to configure alerts at the start and stop of an attack.
  • The metric data is retained for 30 days.
  • Provides auto tuned mitigation policies (TCP/TCP SYN/UDP) for each public IP.

Use case 2: XSS attack on a web App hosted on an Azure Web App (App Service)

XSS attack

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

In the above scenario, Web application running and Application Gateway with WAF enabled with default configuration

What is Azure Web Application Firewall on Azure Application Gateway?

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.

Benefits of Application gateway WAF

  • SQL-injection protection.
  • Cross-site scripting protection.
  • Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.
  • Protection against HTTP protocol violations.
  • Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.
  • Protection against crawlers and scanners.
  • Detection of common application misconfigurations (for example, Apache and IIS).
  • Configurable request size limits with lower and upper bounds.
  • Exclusion lists let you omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication or password fields.
  • Create custom rules to suit the specific needs of your applications.
  • Geo-filter traffic to allow or block certain countries/regions from gaining access to your applications.
  • Protect your applications from bots with the bot mitigation ruleset.
  • Inspect JSON and XML in the request body

WAF modes

The Application Gateway WAF can be configured to run in the following two modes:

Detection mode: Monitors and logs all threat alerts. You turn on logging diagnostics for Application Gateway in the Diagnostics section. You must also make sure that the WAF log is selected and turned on. Web application firewall doesn’t block incoming requests when it’s operating in Detection mode.

Prevention mode: Blocks intrusions and attacks that the rules detect. The attacker receives a “403 unauthorized access” exception, and the connection is closed. Prevention mode records such attacks in the WAF logs.

How to Mitigate XSS attack?

Enabling WAF Prevention mode for XSS attack, SQL Injection & other attacks, Prevention mode blocks incoming intrusions

Use case 3:- SQL injection attack on a Web Application (Web App + SQL DB)

Web application running with Database as background and configured Application gateway WAF for application load balancing. In the above use case, threat from both database server and web application as well

To mitigate the SQL database attacks, enable Advanced Threat Protection for Azure SQL Database

Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Advanced Threat Protection can identify Potential SQL injection, Access from unusual location or data center, Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials

So we have configured Database level firewall to prevent SQL Injection but what about the web application. It’s very simple as we showed in Use case 2 by simply enabling Application Gateway WAF in Prevention Mode


We have seen few uses cases of Azure security features like VNet DDOS, Application gateway WAF prevention mode to mitigate some of the top OWASP attacks. These features are also available with other cloud providers as well for example, in AWS, AWS Shield service available to protect from DDOS attacks