Front Door Premium with WAF and Microsoft-managed rule sets

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure

Visualize

This template deploys a Front Door Premium with a Web Application Firewall (WAF) and Microsoft-managed rule sets.

Sample overview and deployed resources

This sample template creates a Front Door profile with a WAF. To keep the sample simple, Front Door is configured to direct traffic to an Azure Storage static website configured as an origin, but this could be any origin supported by Front Door.

The following resources are deployed as part of the solution:

Prerequisites

  • Azure Storage with a static website, which acts as a simulated origin in this sample.

Front Door Premium

  • Front Door profile, endpoint, origin group, origin, and route to direct traffic to the Azure Storage static website.
    • This sample must be deployed using the premium Front Door SKU, since this is required for managed rule sets in the WAF.
  • Front Door WAF policy with two rule sets:
  • Front Door security policy to attach the WAF policy to the Front Door endpoint.

Log Analytics

  • Log Analytics workspace.
  • Diagnostic settings to route the FrontDoorWebApplicationFirewallLogs to the Log Analytics workspace. This allows you to tune the Front Door WAF based on your own traffic.

Deployment steps

You can click the "deploy to Azure" button at the beginning of this document or follow the instructions for command line deployment using the scripts in the root of this repo.

Usage

Connect

Once you have deployed the Azure Resource Manager template, wait a few minutes before you attempt to access your Front Door endpoint to allow time for Front Door to propagate the settings throughout its network.

You can then access the Front Door endpoint. The hostname is emitted as an output from the deployment - the output is named frontDoorEndpointHostName. If you access the base hostname you should see a page saying Welcome. If you see a different error page, wait a few minutes and try again.

Tags: Microsoft.Cdn/profiles, Microsoft.Cdn/profiles/afdEndpoints, Microsoft.Cdn/profiles/originGroups, Microsoft.Cdn/profiles/originGroups/origins, Microsoft.Cdn/profiles/afdEndpoints/routes, Microsoft.Network/FrontDoorWebApplicationFirewallPolicies, Microsoft.Cdn/profiles/securityPolicies, Microsoft.OperationalInsights/workspaces, Microsoft.Insights/diagnosticSettings, Microsoft.Storage/storageAccounts, Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Authorization/roleAssignments, Microsoft.Resources/deploymentScripts, UserAssigned