Below is a diagram of the solution architecture you will build in this lab. Please study this carefully, so you understand the whole of the solution as you are working on the various components.
The solution begins with a deployed template of typical and not so typical resources. Due to time restraints during deployment you will have an internal (versus an external facing) App Service Environment (ASE). The ASE will have no app service plans or apps deployed to it. It is also not accessible from the outside world. You will configure an application to be deployed using the Azure DevOps machine and Visual Studio to deploy to the ASE after creating an app service plan. Once deployed, you will then configure the Application Gateway to point to the new ASE hosted App. Once configured, you will perform a typical web-based attack on the environment in a detection-only mode to see the requests pass to your web application. Once you understand how this process works, you will then enable the Web Application Firewall to filter requests based on the OWASP 3.0 standard and see that those requests are in fact blocked.
Separately, you will explore how Azure Identity Access and Management (Azure IAM) works and how those access permissions are separate from policies that may live within the actual Azure resource (such as with Azure Key Vault). You will learn how to remove sensitive information from your various resources such as Azure Functions and Web Applications and place them in the Azure Key Vault for both deployment and runtime use.
As a final step, you will learn how to perform queries against Log Analytics to populate a Power BI report based on your Web Application Firewall events.