free simple website templates

adaptive.run TECH BLOG

Cloud can be tricky sometimes. Find out what scenarios we've ran into that are worth being mentioned and explained.

Configuring Azure FrontDoor with WAF Protection

Level: 200
Publishing date: 10-Jul-2020
Author: Catalin Popa

An Azure Front Door Service provides the management and monitoring of web traffic in an optimized way to extract the best performance and protects against instant global fail over for high availability. The main purpose of Implementing Azure Front Door is to transform your application into robust, high performing and reaching globally.

Front Door uses any cast protocol with split TCP with the help of Microsoft's global network in a manner to improve global connectivity and ensure that Front Door routing is done to reach in a fastest available way and in low latency backend first.

Front Door platform itself is protected by Azure DDoS Protection on the Basic level. Front Door allows custom Web Application Firewall (WAF) that protects your load from exploitation from malicious requests traffic. Availability of back end is constantly checked with the help of smart health probes which pings the backend nodes to monitor whether it is healthy or not .



PREREQ: Create Webapps
In this case, we are going for two WebApps from two different regions - please start by creating 2 webapps in two different regions.

Create Front Door 

Select Create a resource > Front Door > Create. Fill in the basic information, then select Configuration and click on "+" to add a Frontend Host:

Also, make sure to add a backend pool:

Slect backend host type as "App Service" as we have created WebApp for this demo.  Here Priority and Weight are 1 and 50 by default, we can change the Priority and Weight of backend as per our requirement.

Now Add Health Probe settings as below:


Health probes are used to check the health of the particular backend you are creating to make sure the availability of application.

After this we need add Load Balancing setting:

As mentioned in the above image – request will always go to fastest available backend first if Latency Sensitivity kept to 0.

After adding Backend Pool. we need to create Route Rules:


Basic Routing Rules states where Frontend host should be routed to and which Backend Pool keep everything checked as it is . After adding basic info click on "Advanced" tab - If you need to enable Caching, click on 'Enabled' and select 'Query String Caching'.

That's all you need to create the FrontDoor - you can continue by finishing the process. The only thing that needs to be done more is to assign a WAF Policy to the FrontDoor.

For that, we will need to create a Web Application Firewall. There are two modes for a WAF Policy to be configured: 

PreventionThis mode of firewall is recommended as it blocks all the malicious requests directly and throws 403-Forbidden error message in response to that request. 

DetectionThis mode does not block any requests but logs all malicious requests to log analytics and can be seen using log search query. This mode can be used while developing the web application to find if a genuine/valid request is getting blocked due to coding (OWASP) incompatibility and later resolve it.

Make sure when you create the WAF Policy to associate it with your FrontDoor host:


And that's it!

Global connectivity of Azure application services reduces the latency for end users as well as allowing developers to build out geo-distributed services.

Web application filtering protects against DDoS attacks or malicious users at the edge without impacting any backend services. Because of the performance, operability and security benefits to HTTP workloads with Front Door, we recommend customers use Front Door for their HTTP workloads.

Mobirise
adaptive.run

Transform your business.
Run adaptive.

Contact

Phone: +40 73 523 0005
Email: hello@adaptive.run

Legal and Privacy

Privacy Policy - PPD