{"id":8273,"date":"2025-07-17T07:34:38","date_gmt":"2025-07-17T07:34:38","guid":{"rendered":"http:\/\/localhost\/?p=8273"},"modified":"2025-07-17T07:34:38","modified_gmt":"2025-07-17T07:34:38","slug":"fail-open-architecture-for-secure-inline-protection-on-azure","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=8273","title":{"rendered":"Fail-Open Architecture for Secure Inline Protection on Azure"},"content":{"rendered":"

Security Update News<\/h2>\n

Update Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nFail-Open Architecture for Secure Inline Protection on Azure<\/td>\n<\/tr>\n
Update ID<\/th>\nWALLARMLAB:4E537B18A8DC6EF755EC0C33C2A96498<\/td>\n<\/tr>\n
Type<\/th>\nwallarmlab<\/td>\n<\/tr>\n
Published<\/th>\n2025-07-17T11:00:00<\/td>\n<\/tr>\n
Last Updated<\/th>\n2025-07-17T11:00:00<\/td>\n<\/tr>\n<\/table>\n

Security Impact<\/h3>\n\n\n
Severity<\/th>\nNONE<\/td>\n<\/tr>\n<\/table>\n

Update Details<\/h3>\n
\nEvery inline deployment introduces a tradeoff: enhanced inspection versus increased risk of downtime. Inline protection is important, especially for APIs, which are now the most targeted attack surface, but so is consistent uptime and performance. This is where a fail-open architecture comes in. <\/p>\n

This Wallarm How-To blog outlines how to deploy Wallarm\u2019s Security Edge platform on Azure using a fail-open design, ensuring high availability and zero disruption, even if the filtering infrastructure becomes unresponsive. <\/p>\n

## The Challenge: Inline Security Without the Downtime<\/p>\n

APIs drive business-critical operations. As such, their availability is non-negotiable. Any inline solution, no matter how effective, introduces the possibility of becoming a single point of failure. If the traffic filtering node goes offline or becomes unresponsive, users could face delays, broken integrations, or full application outages. <\/p>\n

This is one of the most common objections to inline deployments. While legacy WAFs might require tradeoffs between protection and availability, modern cloud architectures allow for both. By using Azure Front Door alongside Wallarm\u2019s distributed Security Edge nodes, organizations can architect a highly available, auto-failover system that maintains protection without jeopardizing performance. <\/p>\n

## What is Wallarm Security Edge? <\/p>\n

Wallarm Security Edge is a cloud-native, managed service that deploys filtering nodes across multiple geographic regions. These nodes inspect traffic inline in real time, identifying and blocking malicious API calls before they can reach your origin servers. <\/p>\n

Unlike traditional security appliances, Security Edge doesn\u2019t require you to install or manage any on-prem hardware. You simply route your API and web traffic through the Wallarm filtering nodes and benefit from real-time detection of OWASP Top 10 threats, API exploits, and emerging attacks like LLM prompt injections. <\/p>\n

![](https:\/\/i0.wp.com\/lab.wallarm.com\/wp-content\/uploads\/2025\/06\/blog-img-1.png?resize=770%2C512&ssl=1)<\/p>\n

But what happens if the filtering cluster becomes unreachable? <\/p>\n

## Introducing Fail-Open Logic with Azure Front Door <\/p>\n

By integrating Azure Front Door\u2019s active\/passive routing capabilities, organizations can implement a resilient, fail-open architecture that bypasses the filtering nodes in the rare event of failure, thus ensuring uninterrupted API availability. <\/p>\n

1. Set Up Azure Front Door with Origin Groups<\/p>\n

Azure Front Door acts as the global entry point for incoming traffic. When you create a Front Door instance, it provides a fully qualified domain name (FQDN) \u2013 for example, `azureFrontDoor-a7ajbwefb6bza6ez.z01.azurefd.net.` <\/p>\n

Typically, you\u2019d configure a CNAME record that maps your public subdomain (api.example.com, for example) to this FQDN, allowing all requests to route through Front Door. <\/p>\n

To enable automatic failover, you\u2019ll configure two origin endpoints into a single origin group: <\/p>\n

* **Primary origin:** Points to the Wallarm filtering node cluster.
* **Secondary origin:** Points directly to your application backend, bypassing Wallarm. <\/p>\n

2. Configure Priority-Based Routing<\/p>\n

Azure Front Door lets you assign priority levels to each origin. A lower number means higher priority: <\/p>\n

* **Priority 1:** Wallarm filtering node cluster.
* **Priority 2:** Direct-to-origin backup path. <\/p>\n

Traffic is always routed to the highest-priority healthy origin. If the Wallarm node cluster becomes unavailable, Azure Front Door automatically switches to the secondary origin, ensuring continuous service. <\/p>\n

This is the essence of a fail-open architecture: if security infrastructure fails, availability wins by design. <\/p>\n

3. Customize Health Probes for Fine-Grained Control<\/p>\n

To detect failure conditions, Azure Front Door relies on health probes. These periodic checks validate whether the filtering node cluster is responsive. If the probe fails for a set number of consecutive attempts, traffic is redirected to the healthy fallback origin. <\/p>\n

You can customize these probes with: <\/p>\n

* Specific HTTP paths or headers
* Timeouts and response thresholds
* Frequency of health checks<\/p>\n

This flexibility gives your security and infrastructure teams precise control over failover behavior. <\/p>\n

# How the Traffic Flows <\/p>\n

Once deployed, here\u2019s what a typical request flow looks like: <\/p>\n

1. A user makes a request to api.example.com
2. The DNS CNAME record points the request to the Azure Front Door FQDN.
3. Azure Front Door checks the health of the primary origin (Wallarm filtering cluster).
4. If healthy, traffic is routed through Wallarm for inline inspection.
5. Wallarm forwards clean requests to the actual backend server as defined in the configuration.
6. If the Wallarm cluster is unavailable, Azure front Door automatically reroutes traffic to the direct origin path, without the need for manual intervention. <\/p>\n

![](https:\/\/i0.wp.com\/lab.wallarm.com\/wp-content\/uploads\/2025\/06\/blog-img-2.png?resize=770%2C315&ssl=1)<\/p>\n

# Security Without Sacrifices<\/p>\n

This architecture provides the best of both worlds: <\/p>\n

* **Real-time, inline protection:** All traffic is inspected for threats when the Wallarm cluster is healthy.
* **High availability by default:** If filtering fails, users still get uninterrupted access to your APIs and applications.
* **Fully managed deployments:** No appliances, no manual patching, no maintenance headaches. <\/p>\n

Together, Wallarm\u2019s Security Edge nodes and Azure Front Door offer a resilient, cloud-native security model tailored for modern API environments. To learn more about deploying Wallarm Security Edge inline with Azure and building your own fail-open architecture, check out the official Wallarm documentation.<\/p>\n

The post Fail-Open Architecture for Secure Inline Protection on Azure appeared first on Wallarm.\n<\/p><\/div>\n

View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Security Update News Update Information Title Fail-Open Architecture for Secure Inline Protection on Azure Update ID WALLARMLAB:4E537B18A8DC6EF755EC0C33C2A96498 Type wallarmlab Published 2025-07-17T11:00:00 Last Updated 2025-07-17T11:00:00 Security…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,5,105],"class_list":["post-8273","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\nFail-Open Architecture for Secure Inline Protection on Azure - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8273\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fail-Open Architecture for Secure Inline Protection on Azure - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Fail-Open Architecture for Secure Inline Protection on Azure Update ID WALLARMLAB:4E537B18A8DC6EF755EC0C33C2A96498 Type wallarmlab Published 2025-07-17T11:00:00 Last Updated 2025-07-17T11:00:00 Security...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8273\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-17T07:34:38+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8273#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8273\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Fail-Open Architecture for Secure Inline Protection on Azure\",\"datePublished\":\"2025-07-17T07:34:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8273\"},\"wordCount\":870,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8273#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8273\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8273\",\"name\":\"Fail-Open Architecture for Secure Inline Protection on Azure - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-17T07:34:38+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8273#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8273\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8273#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Fail-Open Architecture for Secure Inline Protection on Azure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fail-Open Architecture for Secure Inline Protection on Azure - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8273","og_locale":"en_US","og_type":"article","og_title":"Fail-Open Architecture for Secure Inline Protection on Azure - zero redgem","og_description":"Security Update News Update Information Title Fail-Open Architecture for Secure Inline Protection on Azure Update ID WALLARMLAB:4E537B18A8DC6EF755EC0C33C2A96498 Type wallarmlab Published 2025-07-17T11:00:00 Last Updated 2025-07-17T11:00:00 Security...","og_url":"https:\/\/zero.redgem.net\/?p=8273","og_site_name":"zero redgem","article_published_time":"2025-07-17T07:34:38+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8273#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8273"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Fail-Open Architecture for Secure Inline Protection on Azure","datePublished":"2025-07-17T07:34:38+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8273"},"wordCount":870,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8273#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8273","url":"https:\/\/zero.redgem.net\/?p=8273","name":"Fail-Open Architecture for Secure Inline Protection on Azure - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-17T07:34:38+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8273#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8273"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8273#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Fail-Open Architecture for Secure Inline Protection on Azure"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8273"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8273\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}