Sitecore Managed Cloud Standard — Setup WAF Service Request

  • Sitecore Managed Cloud customers wanting to protect their Sitecore XP application from common web vulnerabilities and attacks can create a Setup Web Application Firewall (WAF) Service Request. This article outlines what Managed Cloud customers need to know about the technical implementation of the WAF.

    For more details on the Azure Application Gateway and WAF products and how they work to secure a Sitecore Content Delivery server, see these details.

  • Once the Service Request is made to the Managed Cloud team, the following items must be provided. These can be included in the Service Request form or the engineer completing the setup will request them from the customer:

    • The PFX certificate that corresponds to the Sitecore CD web app public DNS name.
    • The certificate password.
  • The following notes outline timing and the overall process followed by the Sitecore Managed Cloud team in completing this Service Request:

    1. The WAF deployment takes about an hour. During this time, IP restrictions will be configured on the Sitecore Content Delivery web app in Azure, so the CD will become unavailable using the direct endpoint such as the * URL. Access becomes available only via Public IP address.

      We may turn off the IP restrictions after the deployment so the CD web app can be available as before. Customers that require this must request it in the Service Request.
    2. Right after the WAF service is deployed, the customer must configure their DNS server to create the needed records. DNS records on NS-servers may take up to 72 hours to fully update, so the final configuration might require up to 3 days.
    3. The Managed Cloud team will coordinate a time window with the customer for the WAF deployment. Best practice is to set up the WAF well before an environment goes live to reduce the risk of downtime or the impact of any unforeseen complications. The Managed Cloud team requests 48 hours notice to schedule the maintenance window.

      For sites that are already “live,” the Managed Cloud team can NOT apply the usual IP restrictions on the Sitecore CD web app so the site remains available 100% through this process. At a later time, after WAF testing and customer DNS updates are completed to the customer's satisfaction, the IP restrictions can be enabled to block direct access to the Sitecore CD web app.
  • After the WAF is configured by the Managed Cloud team, the following details will be provided to the customer in the Service Request ticket:

    • The WAF deployment is finished.
    • All of your resources are now located in the mc-{your-identifier-here}-virtualNetwork virtual network.
    • Please note that your Sitecore CD web app is only available now by Public IP (PIP) address: XXX.XXX.XXX.XXX.
    • The PIP is associated with mc-{your-identifier-here}-applicationGateway-waf application gateway.
    • Next, you should set up the redirect from your Sitecore CD DNS https://{} to XXX.XXX.XXX.XXX to finish the installation.

Applies to:

Managed Cloud 1+

May 12, 2020
May 12, 2020


  • Managed Cloud