This article explains how to set up access to multiple services of the same kind (e.g., HTTP, HTTPS) that are configured on the Barracuda Web Application Firewall.
Understanding the Problem
Let’s assume you have two web servers, Server1 and Server2, with the internal IP address 10.0.1.20 and 10.0.1.21, respectively. Both servers serve the website through port 80.
The requirement is to protect both the servers through the Barracuda Web Application Firewall using the same internal IP address 10.0.0.10 (listening IP on the Barracuda WAF) and the public IP address 50.50.50.50 (mapped to 10.0.0.10), and to have access to the servers through the public IP/DNS.
This requirement can be addressed in two ways:
- Using rule groups on the Barracuda Web Application Firewall.
- Using an external load balancer such as the Azure Application Gateway or Azure Load Balancer.
Using Rule Groups on the Barracuda Web Application Firewall
Create a service on the Barracuda Web Application Firewall, add a rule group for each of the servers, and create a match with the application hostname/DNS name. To learn more about adding a rule group and rule group server, see How to Add a Real Server.
In this case, the clients need to access the applications using the DNS name, where each of the domain names resolve to the same Public IP address that is mapped with the private IP address of the Barracuda Web Application Firewall (10.0.0.10 in the above scenario). The Barracuda Web Application Firewall sends the traffic to the respected server based on the host match configured in the rule group.
Using the Load Balancer
In this case, multiple services can be configured on the Barracuda WAF with the same IP address but different port numbers.
Example:
- Service1 IP 10.0.0.10 and port 80, for which the backend server can be 2.2.2.11 with port 80
- Service2 IP 10.0.0.10 and port 82, for which the backend server can be 2.2.2.12 with port 80
These services are externally accessed using the load balancer. The load balancer can be configured with different public IP addresses mapping to each of the IP address and port combinations of the Barracuda Web Application Firewall.
Create a load balancing rule for each service using the same backend pool, different front end IP address, and corresponding service port for the backend port.