Protect your applications from common web vulnerabilities such as SQL injection and cross-site scripting. Monitor your web applications using custom rules and rule groups to suit your requirements and eliminate false positives.

Get application-level load-balancing services and routing to build a scalable and highly available web front end in Azure. Autoscaling offers elasticity by automatically scaling Application Gateway instances based on your web application traffic load.

Application Gateway is integrated with several Azure services. Azure Traffic Manager supports multiple-region redirection, automatic failover, and zero-downtime maintenance. Use Azure Virtual Machines, virtual machine scale sets, or the Web Apps feature of Azure App Service in your back-end pools. Azure Monitor and Azure Security Center provide centralized monitoring and alerting, and an application health dashboard. Key Vault offers central management and automatic renewal of SSL certificates.

Strong encryption from front end to back end helps to secure your data.

Route traffic to back-end server pools with URL path-based routing, and to multiple web applications using host header-based routing.

Scale your web application with SSL offload, and centralize SSL certificate management to reduce encryption and decryption overhead on your servers.

Single sign-on simplifies access to your apps from anywhere.

Conditional Access and Multi-factor authentication help protect and govern access.

A single identity platform lets you engage with internal and external users more securely.

Developer tools make it easy to integrate identity into your apps and services.

Backed by the Microsoft global network, DDoS Protection brings massive DDoS mitigation capacity to every Azure region. Scrub traffic at the Azure network edge before it can impact the availability of your service.

Cover all resources on a virtual network when you enable Azure DDoS Protection via simplified configuration. Always-on traffic monitoring provides near real-time detection of a DDoS attack, with no intervention required. DDoS Protection automatically mitigates the attack as soon as it’s detected.

DDoS Protection provides advanced intelligence that automatically configures and tunes your DDoS Protection settings. The DDoS service understands your resources and resource configuration to learn application traffic patterns over time.

Deployed with Azure Application Gateway Web Application Firewall, DDoS Protection defends against a comprehensive set of network layer (layer 3/4) attacks, and protects web apps from common application layer (layer 7) attacks, such as SQL injection, cross-site scripting attacks, and session hijacks. Web Application Firewall comes preconfigured to handle threats identified by the Open Web Application Security Project top 10 common vulnerabilities.

Native integration with Azure Monitor exposes attack metrics and telemetry alongside other resource telemetry. Flexible alerting mechanisms notify you when an application is under attack.

Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. Stream DDoS mitigation flow logs to an offline security information and event management (SIEM) system for near real-time monitoring during an attack.

Engage the DDoS Protection rapid response team for help with attack investigation, custom mitigation, and analysis.

Receive service credit for resource costs incurred as a result of a documented DDoS attack.

Use Key Vault and you don’t need to provision, configure, patch, and maintain HSMs and key management software. Provision new vaults and keys (or import keys from your own HSMs) in minutes and centrally manage keys, secrets, and policies. You keep control over your keys—simply grant permission for your own and partner applications to use them as needed. Applications never have direct access to keys. Developers manage keys used for Dev/Test and seamlessly migrate to production the keys that are managed by security operations. Simplify and automate tasks related to SSL/TLS certificates—Key Vault enables you to enroll and automatically renew certificates from supported public Certificate Authorities.

Improve performance and reduce the latency of your cloud applications by storing cryptographic keys in the cloud, instead of on-premises. Key Vault quickly scales to meet the cryptographic needs of your cloud applications and match peak demand, without the cost of deploying dedicated HSMs. Achieve global redundancy by provisioning vaults in Azure global datacenters—keep a copy in your own HSMs for more durability.