Assuming I'm using non-isolated app service, the recommendation to protect web app against ddos kind of attack is to put firewall in front of it. My Question: Even if I have done following:
App Service (IP configured to allow WAF IPs only) -- WAF (with all security layers) -- Internet
Why would a malicious actor go through WAF? Am I not still as secure as the native security offered by App Service? If all I want is to whitelist certain IPs (no layer 7 rules), do I get any additional benefit with WAF?
When user sends a request to server, it will go through the WAF first, not directly to the server. Here is a diagram from the doc which describes the flow:
No, you will still be as secure as the native security offered by App Service.
As far as I know, no additional benefit with WAF.