Azure
Security
starter
WAF-Hardened Web App — Azure Architecture Template
Minimal hardened web workload: WAF gateway, NSG-restricted ingress, Key Vault certificates and SQL over managed identity.
Why this architecture works
- WAF in prevention mode blocks OWASP Top 10 attacks before they reach application code
- NSG restricts the gateway subnet to HTTPS only, eliminating stray management ports
- TLS certificates are issued from Key Vault so rotation never touches the app or gateway config
- The app authenticates to SQL with managed identity — there is no SQL password to leak
- Application Insights availability tests continuously probe the public endpoint
What's inside (8 resources)
Edge NSG
network-security-group
WAF Gateway
application-gateway
App Plan
app-service-plan
Web App
web-app
SQL Server
sql-server
App DB
sql-database
Certs & Secrets
key-vault
APM
application-insights
From template to running infrastructure
- Open this template in the CloudForge visual designer (free account, no credit card).
- Customize resources, names, and connections on the drag-and-drop canvas — or ask Vani, the AI architect, to adapt it.
- Generate production-ready Terraform, ARM, or Bicep in one click.
- Review the plan diff and security scan, then deploy with human approval.