Global DDoS Protection for AI Endpoints with Azure Front Door

Question

Pulumi · Accepted Answer

To set up global DDoS protection for AI endpoints using Azure Front Door, you need to create and configure a few different resources. Azure Front Door is a scalable and secure entry point for fast delivery of your global applications. It provides various features including SSL offloading, path-based routing, multiple-site hosting, and, crucially for your needs, global DDoS protection.

The Pulumi resources we will use for this configuration are:

1. `FrontDoor`: This is the main resource that represents Azure Front Door service, where we define backend pools, routing rules, and front door listeners.
2. `AFDEndpoint`: An endpoint is where Azure Front Door listens for client requests. It's linked with Front Door configuration.
3. `AFDOriginGroup`: Origin groups are groups of backends that drive the traffic for a particular request. Origin groups enable high availability and failover capabilities to your front door.
4. `SecurityPolicy`: This represents the Web Application Firewall (WAF) configuration, which provides protection to web applications from common web vulnerabilities and exploits, and includes DDoS protection.

Below is a Pulumi program written in Python, which defines these resources. The example is simplified for illustration purposes and assumes that you already have a set of AI endpoints to protect. Replace `'your-ai-service.endpoint.com'` with the domain name of your actual AI endpoint.

```python
import pulumi
import pulumi_azure_native as azure_native

# Define the Resource Group
resource_group = azure_native.resources.ResourceGroup("my-resource-group")

# Define the Front Door
front_door = azure_native.network.FrontDoor("my-front-door",
    resource_group_name=resource_group.name,
    location="Global",  # Set the location to global as Front Door is a global service
    enabled_state="Enabled",  # Enable the Front Door service
    frontend_endpoints=[
        azure_native.network.FrontendEndpointArgs(  # Define the frontend endpoint
            name="frontendEndpoint1",
            host_name="my-front-door.azurefd.net",  # Auto-generated domain name for the Front Door Service
        ),
    ],
    backend_pools=[
        azure_native.network.BackendPoolArgs(  # Define backend pools with the AI endpoint as the backend
            name="backendPool1",
            backends=[
                azure_native.network.BackendArgs(
                    address="your-ai-service.endpoint.com",
                    http_port=80,
                    https_port=443,
                    priority=1,
                    weight=50,
                    enabled_state="Enabled",
                ),
            ],
            load_balancing_settings=azure_native.network.SubResourceArgs(
                name="loadBalancingSettings1",
            ),
            health_probe_settings=azure_native.network.SubResourceArgs(
                name="healthProbeSettings1",
            ),
        ),
    ],
    routing_rules=[
        azure_native.network.RoutingRuleArgs(  # Define routing rules
            name="routingRule1",
            frontend_endpoints=["frontendEndpoint1"],
            accepted_protocols=["Http", "Https"],
            patterns_to_match=["/*"],
            route_configuration=azure_native.network.ForwardingConfigurationArgs(
                forwarding_protocol="MatchRequest",
                backend_pool=azure_native.network.SubResourceArgs(
                    id=front_door.id.apply(lambda id: f"{id}/backendPools/backendPool1"),
                ),
            )
        ),
    ],
    # Associate a WAF policy to the Front Door
    web_application_firewall_policy_link=azure_native.network.FrontDoorWebApplicationFirewallPolicyLinkArgs(
        id="my-waf-policy-id",  # Replace this with the actual ID of your existing WAF policy
    ),
)

# Create WAF (Web Application Firewall) Policy for DDoS protection
waf_policy = azure_native.cdn.SecurityPolicy("my-waf-policy",
    resource_group_name=resource_group.name,
    profile_name=front_door.name,
    security_policy_name="my-security-policy",
    parameters=azure_native.cdn.SecurityPolicyParametersArgs(
        waf_policy=azure_native.cdn.SecurityPolicyParametersArgsWafPolicyArgs(
            id="my-waf-policy-id",  # Replace with your Front Door WAF policy resource ID
        ),
    ),
)

# Export the URL of the Front Door frontend endpoint
pulumi.export('front_door_url', front_door.frontend_endpoints[0].host_name)
```

Let's take a closer look at each part of this program:

1. Resource Group: Before you can deploy any resources, you need a resource group to contain them. It's a logical container for resources deployed on Azure.

2. Azure Front Door: Here, you create a `FrontDoor` resource. It includes definitions for the entry point (`frontend_endpoints`), how the traffic is balanced and checked (`backend_pools`), and how the requests are routed (`routing_rules`). You also enable the service by setting `enabled_state` to "Enabled".

3. Backend Pool: This is defined within the `FrontDoor` resource, which contains your AI endpoint where Azure Front Door will forward the traffic.

4. Routing Rules: These rules define how requests to your Front Door frontend are routed to the backend pool. In this case, all requests (`/*`) are forwarded to our backend pool.

5. Web Application Firewall Policy: The `SecurityPolicy` resource refers to the WAF configuration. The linked policy ID should be existing or generated as per your custom configurations, and includes your DDoS settings.

Lastly, we export the frontend endpoint URL generated by Azure Front Door. This URL is the entry point through which the traffic goes to your AI endpoints and will have DDoS protection enabled.

Remember, this is a simplified example to get you started. Real-world scenarios would require a more detailed configuration of routing, backend health probes, WAF rules, and more. Additionally, due to the nature of AI applications, extra care should be taken to make sure you are not blocking legitimate traffic while configuring WAF rules.