As companies and developers are turning to cloud applications, they face attacks on the applications and services available on the Web. While Azure provides basic network security, it is not enough to protect against elaborate data theft, DDOS attacks, SQL injection attacks, and more.
In response, the Barracuda Web Application Firewall analyzes web traffic and blocks countless attacks against your web applications.
In this post, I explain how Barracuda works, and how you can use it to add security to Azure cloud applications.
How Barracuda works
A good firewall is essential. Of the ones I’ve tried, the one that most suited a plethora of uses and defended best against cyber attacks was Barracuda.
Barracuda is a long-established firewall for anyone who knows and works with Red Hat or CentOS. Barracuda in Azure is offered as a logical appliance deployed on the networks that you want to protect against external attacks. The correct layout of this firewall is shown in the mapping below.
In Azure, instances A1, A2, A3 and A4 can be used, with the support of 8 VCPU and 14 GB of memory.
A license is required. There are two forms of BYOL (bring your own license) that can be purchased directly on the Barracuda website; another form is an hourly use license—This is a version of the Azure Barracuda Web Application Firewall without a portal and is made available by a Microsoft Azure portal after an instance is started. Hardware capacity directly affects the amount that will be charged.
Steps to create a virtual machine with Barracuda
To continue, you will need to have an active account on the Azure portal. The creation of a VM with Barracuda can be executed in both the classic portal and the new portal. The following settings were made in the new portal.
Sign in to the Azure portal, choose New, and look for the Barracuda Web Application Firewall.
At this point, choose which license will be deployed. If you have purchased a license, it will be BYOL. If you would like Azure to charge you by the hour, choose the PAYG option.
The steps for creating the VM are very traditional, so there is no need to cover those here. At this point, we need to carefully review local items, hardware size, and the administrator password to avoid problems that could require redeployment.
The firewall must be deployed on the virtual network that you want to protect; otherwise, the firewall and the application will not communicate. If there are extra servers that you want to protect, they need to be part of the same virtual network. In this example, I will create a VM with the name barracuda; the virtual network will be named barracuda-vnet, and I’ll choose the user barracuda.
From the info above, we can see the creation of the VM was validated correctly. Now, click Purchase and wait for the installation validation. In order to access the web console from the server, simply access the IP by telling the port to HTTPS or HTTP (https://ip_server:8443 | http://ip_server:8000).
Configure Barracuda
Unlock the following ports on the Azure firewall for Barracuda operation.
| Port | Direction | TCP | UDP | Usage |
| 22 | Out | Yes | No | Technical Support connections |
| 25 | In/Out | Yes | No | Email alerts |
| 53 | Out | Yes | Yes | Domain Name Service (DNS) |
| 80/8000 | Out | Yes | No | Virus/attack/security definition and firmware updates |
| 123 | Out | No | Yes | Network Time Protocol (NTP) |
| 443 | Out | Yes | No | Initial VM Provisioning* |
| *The initial provisioning port can be disabled once the initial provisioning process is complete. | ||||
Choose the type of license you will use. To test, choose the free evaluation.
Barracuda Dashboard
The screen below is displayed shortly after logging in. When accessing Barracuda for the first time, it is highly recommended you change the password. Access this through Basic -> Administration -> Password Change tab.
From this point, you can navigate through the tool to learn and verify what can be used to protect your environment.
The good news is that you do not need an Azure account or additional hardware to test this firewall. You can use the demo they make available for possible testing before any deployment. Use the link http://wsf.barracuda.com/cgi-mod/index.cgi, and enter the username guest, wsf password. There is no fee to use this demo.
Conclusion
The use of a firewall is required in any infrastructure environment that has applications with external access. Security is paramount to keep your environment available, and your users assured that your service is continually responding and that data is safe within your application.
Of the firewalls available on Azure, Barracuda has proven to be more robust, and easy to deploy, with customizable licensing. There is a range of documentation from the team that develops the tool, as well as training for those who want to learn more.
