Template and documentation change for WAF feature

01-Setup and getting started/README.md

@@ -72,8 +72,9 @@ For more details of Az Modules refer [link](https://docs.microsoft.com/en-us/pow
 #   Az.Monitor >= 1.5.0
 #   Az.OperationalInsights >= 1.3.4
 #   Az.ApplicationInsights >= 1.0.3
-#   Az.Websites >= 1.6.0
+#   Az.Websites >= 2.8.1
 #   Az.Network  >= 2.5.0
+#   Az.FrontDoor >= 1.8.0
 Install-Module -Name Az.Accounts -AllowClobber -Scope CurrentUser -repository PSGallery
 Install-Module -Name Az.Resources -AllowClobber -Scope CurrentUser -repository PSGallery
 Install-Module -Name Az.Storage -AllowClobber -Scope CurrentUser -repository PSGallery
@@ -83,6 +84,7 @@ Install-Module -Name Az.OperationalInsights -AllowClobber -Scope CurrentUser -re
 Install-Module -Name Az.ApplicationInsights -AllowClobber -Scope CurrentUser -repository PSGallery
 Install-Module -Name Az.Websites -AllowClobber -Scope CurrentUser -repository PSGallery
 Install-Module -Name Az.Network -AllowClobber -Scope CurrentUser -repository PSGallery
+Install-Module -Name Az.FrontDoor -AllowClobber -Scope CurrentUser -repository PSGallery
 
 # Install AzureAd 
 # Required version:
@@ -273,6 +275,7 @@ Setup will create infra resources and schedule daily security control scan on ta
 > 1. _Setup may take up to 5 minutes to complete._
 > 2. _For better performance, we recommend using one location for hosting central scanning user-assigned MI and resources which will be created in the following installation steps using the `Install-AzSKTenantSecuritySolution` cmdlet._
 > 3. _To restrict network traffic and to ensure that all inbound communication to critical backend resources of AzTS solution are routed through private network(VNet), install AzTS setup with **VNet integration**. For this you will need to run the installation command `Install-AzSKTenantSecuritySolution` with `-EnableVnetIntegration` switch._
+> 4. _To enable WAF for AzTS UI and API, you will need to run the installation command `Install-AzSKTenantSecuritySolution` with `-EnableWAF` switch. To know more about Web Application Frirewall(WAF) visit [here](README.md#enable-azure-web-application-firewall-(WAF)-for-AzTS-UI-and-AzTS-API)._
 >
 >  
 
@@ -301,6 +304,7 @@ $DeploymentResult = Install-AzSKTenantSecuritySolution `
                 [-EnableAutoUpdater] `
                 [-EnableAzTSUI] `
                 [-EnableVnetIntegration] `
+                [-EnableWAF] `
                 -Verbose
 
   
@@ -372,10 +376,75 @@ For '-WebAPIAzureADAppId' and '-UIAzureADAppId' parameter,
 |EnableAutoUpdater | Switch to enable AzTS auto updater. Autoupdater helps to get latest feature released for AzTS components covering updates for security controls. If this is disabled, you can manually update AzTS components by re-running setup command.|FALSE|
 |EnableAzTSUI | Switch to enable AzTS UI. AzTS UI is created to see compliance status for subscription owners and perform adhoc scan. |FALSE|
 |EnableVnetIntegration | Switch to enable VNet integration for AzTS setup. Enabling VNet integration for AzTS setup, ensures that all critical resources like storage, function apps, log analytics workspace etc that are part of AzTS setup, are not accessible over public internet. |FALSE|
+|EnableWAF | Switch to enable Web Application Firewall (WAF) for AzTS UI and API. Enabling WAF for AzTS UI and API, provides centralized protection of web applications from common exploits and vulnerabilities. |FALSE|
 |Verbose| Switch used to output detailed log |FALSE|
 
 </br>
 
+#### **Enable Azure Web Application Firewall (WAF) for AzTS UI and AzTS API**
+
+Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks such as - SQL injection and cross-site scripting that exploit commonly known vulnerabilities.
+
+#### **WAF policy and rules:**
+
+A WAF policy can consist of two types of security rules :
+1. Custom rules that are authored by the customer.
+2. Managed rule sets that are a collection of Azure-managed pre-configured set of rules.
+
+> **Note:** When WAF is enabled for AzTS setup, by default only [managed rule sets](https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview#azure-managed-rule-sets) are configured for your WAF policy. You can create [custom rules](https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal#custom-rules) for your WAF policy as per your requirement.
+
+To enable WAF for your AzTS UI and API, run the installation command [Install-AzSKTenantSecuritySolution](README.md#step-6-of-6-run-setup-command) with `-EnableWAF` switch._
+
+> **Note:**
+> Before running installation command `Install-AzSKTenantSecuritySolution`, please make sure to complete below pre-requisites:
+> 1. _[Installing required Az modules](README.md#step-2-of-6-installing-required-az-modules)._
+> 2. _[Download and extract deployment package](README.md#step-3-of-6-download-and-extract-deployment-package)._
+> 3. _[Setup central scanning managed identity](README.md#step-4-of-6-setup-central-scanning-managed-identity)._
+> 4. _[Create Azure AD application for secure authentication](README.md#step-5-of-6-create-azure-AD-application-for-secure-authentication)._
+
+
+ Example:
+  ```PowerShell
+  # Example:
+
+    $DeploymentResult = Install-AzSKTenantSecuritySolution `
+                    -SubscriptionId bbbe2e73-fc26-492b-9ef4-adec8560c4fe `
+                    -ScanHostRGName AzSK-AzTS-Solution-RG `
+                    -ScanIdentityId '/subscriptions/bbbe2e73-fc26-492b-9ef4-adec8560c4fe/resourceGroups/TenantReaderRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TenantReaderUserIdentity' `
+                    -Location EastUS2 `
+                    -EnableAzTSUI `
+                    -UIAzureADAppId '000000yy-00yy-00yy-00yy-0000000000yy' `
+                    -WebAPIAzureADAppId '000000xx-00xx-00xx-00xx-0000000000xx' `
+                    -AzureEnvironmentName AzureCloud `
+                    -ScanIdentityHasGraphPermission:$true `
+                    -SendAlertNotificationToEmailIds @('[email protected]', '[email protected]', '[email protected]') `
+                    -EnableAutoUpdater `
+                    -EnableWAF `
+                    -Verbose
+
+
+<#
+
+For '-ScanIdentityId' parameter, 
+          (a) use value created for "$UserAssignedIdentity.Id" from prerequisite section step 4.
+                              OR
+          (b) Run Set-AzSKTenantSecuritySolutionScannerIdentity command provided in step 4.
+                              OR
+          (c) you can get this resources id by going into Azure Portal --> Subscription where user-assigned MI resource created --> MIHostingRG --> Click on MI resource --> Properties --> Copy ResourceId.
+
+#>
+
+<#
+Note: UIAzureADAppId and WebAPIAzureADAppId is mandatory if you are enabling AzTSUI
+For '-WebAPIAzureADAppId' and '-UIAzureADAppId' parameter,
+          (a) use value created for "$ADApplicationDetails.WebAPIAzureADAppId" and "$ADApplicationDetails.UIAzureADAppId" respectively from step 5.
+                                    OR
+          (b) Run Set-AzSKTenantSecurityADApplication command provided in step 5.
+                                    OR
+          (c) you can get this application ids by going into Azure Portal --> Azure Active Directory --> App registrations --> All applications --> Search the application by name --> Click on the AD application --> Overview --> Copy Application (client) ID.
+
+#>
+```
 
   6.b. **Grant MS Graph read access:** AzTS Soln creates an Internal MI identity used to perform internal operations such as access LA workspace and storage for sending scan results. Internal MI is also used by AzTS UI to read the list of security groups that the user is a member of. For this purpose, internal MI requires 'User.Read.All' permission.
   </br>
@@ -479,6 +548,10 @@ The below steps will help you to verify and understand different resources and f
   ![Resources](../Images/12_TSS_Resource_Group_1.png)	
   ![Resources](../Images/12_TSS_Resource_Group_2.png)	
 
+  > **Note:** _If WAF is enabled for AzTS Solution, verify that below additional resources also got created, along with the once shown above._
+
+  ![Resources](../Images/12_TSS_Resource_Group_6.png)	
+
   > **Note:** _If the AzTS Solution is integrated to VNet, verify that below additional resources also got created, along with the once shown above._
 
   ![Resources](../Images/12_TSS_Resource_Group_3.png)	
@@ -510,6 +583,9 @@ The below steps will help you to verify and understand different resources and f
 |privatelink-monitor-azure-com|Private DNS Zone| This zone covers the global endpoints used by Azure Monitor|
 |privatelink-agentsvc-azure-automation-net|Private DNS Zone| This zone covers workspace-specific mapping to the agent service automation endpoints|
 |privatelink-agentsvc-azure-automation-net|Private DNS Zone| This zone configures connectivity to the global agents' solution packs storage account|
+|AzSK-AzTS-API-FrontDoor-xxxxx|Front Door| Used to stop network and application layer attacks at the edge with the help of Web Application Firewall. It secure your private back ends(API) and harden your service using Microsoft managed rule sets|
+|AzSK-AzTS-UI-FrontDoor-xxxxx|Front Door| Used to stop network and application layer attacks at the edge with the help of Web Application Firewall. It secure your private back ends(UI) and harden your service using Microsoft managed rule sets|
+|AAzSKAzTSWAFPolicyxxxxx|Front Door WAF policy| WAF policy with managed Default Rule Set that protect your web application from common threats|
 
 <br/>