This guide outlines a strategy for implementing zero-trust security for web apps. This type of security model verifies the trustworthiness of network packets that flow to applications. A multilayered approach works best, where network security makes up one layer. In this layer, network appliances inspect packets to ensure that only legitimate traffic reaches applications.
Typically, different types of network appliances inspect different aspects of network packets:
- Web application firewalls look for patterns that indicate an attack at the web application layer.
- Next-generation firewalls can also look for generic threats.
In some situations, you can combine different types of network security appliances to increase protection. A separate guide, Firewall and Application Gateway for virtual networks, describes design patterns that you can use to arrange the various appliances. This document focuses on a common pattern for maximizing security, in which Azure Application Gateway acts before Azure Firewall Premium. The following diagram illustrates