Enabling Web Application Firewall (WAF) on Azure Front Door
TypeScriptTo enable a Web Application Firewall (WAF) on an Azure Front Door instance, you need to create several resources:
FrontDoor
: This is the main resource representing the Azure Front Door service.AFDOriginGroup
: A group of back-end origins that Azure Front Door can route traffic to.AFDEndpoint
: Endpoints represent the points of presence where Azure Front Door will accept client requests and serve them using the nearest origin based on routing methods.SecurityPolicy
: Defines the WAF policy and its association with Front Door endpoints.
First, you'll need to create the Azure Front Door with an endpoint and an origin group. Then, you'll define a WAF policy (creating one if it’s not already set up) and attach it to the Front Door's endpoint.
Here's a Pulumi program written in TypeScript that sets up these resources and enables WAF on Azure Front Door. Make sure you have all the prerequisites set up, like having the Azure provider configured in your Pulumi environment.
import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; // Create an Azure resource group const resourceGroup = new azure_native.resources.ResourceGroup("myResourceGroup"); // Create the Front Door instance const frontDoor = new azure_native.network.FrontDoor("myFrontDoor", { resourceGroupName: resourceGroup.name, location: "Global", // Front Door is a global service frontendEndpoints: [{ name: "defaultFrontendEndpoint", // Replace this with your custom domain if needed. hostName: "myfrontdoor.azurefd.net", }], backendPools: [{ name: "defaultBackendPool", backends: [{ address: "example-backend.azurewebsites.net", httpPort: 80, httpsPort: 443, weight: 1, }], }], loadBalancingSettings: [{ name: "defaultLoadBalancingSettings", sampleSize: 4, successfulSamplesRequired: 2, }], healthProbeSettings: [{ name: "defaultHealthProbeSettings", path: "/", protocol: "Https", // Other specific settings for the health probe can be added here }], routingRules: [{ name: "defaultRoutingRule", frontendEndpoints: [{ id: pulumi.interpolate`${frontDoor.id}/frontendEndpoints/defaultFrontendEndpoint` }], acceptedProtocols: ["Http", "Https"], patternsToMatch: ["/*"], routeConfiguration: { // Replace with your forwarding configuration odataType: "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", forwardingProtocol: "MatchRequest", backendPool: { id: pulumi.interpolate`${frontDoor.id}/backendPools/defaultBackendPool` }, }, }], }); // Create a Web Application Firewall (WAF) policy const wafPolicy = new azure_native.network.WebApplicationFirewallPolicy("myWafPolicy", { resourceGroupName: resourceGroup.name, location: "Global", customRules: [ // Custom rules for WAF can be added here if needed ], managedRules: { managedRuleSets: [ { ruleSetType: "OWASP", ruleSetVersion: "3.1", ruleGroupOverrides: [ // Optionally override rule groups here ], }, ], }, policySettings: { // Set specific policy settings here, like mode etc. mode: "Prevention", }, }); // Associate the Web Application Firewall (WAF) policy with the Azure Front Door's frontend endpoint const endpointLink = new azure_native.cdn.AFDEndpoint("myEndpoint", { resourceGroupName: resourceGroup.name, enabledState: "Enabled", // Enables the endpoint profileName: frontDoor.name, endpointName: frontDoor.frontendEndpoints[0].name, webApplicationFirewallPolicyLink: { id: wafPolicy.id, }, }); // Export the Front Door endpoint URL so it can be accessed export const frontDoorUrl = frontDoor.frontendEndpoints[0].hostName;
This program sets up the resources as described above, including a WAF with a default OWASP rule set for common security threats. The
webApplicationFirewallPolicyLink
property in theAFDEndpoint
resource associates the WAF policy with the Front Door endpoint.After deploying this Pulumi program, your Azure Front Door instance will be protected by WAF with the rules you specified.
Remember to replace placeholder values like
example-backend.azurewebsites.net
with actual values matching your backend setup. For the hostname of theAFDEndpoint
, use a domain that you control or stick to the default*.azurefd.net
domain provided by Azure for testing purposes. If you use a custom domain, additional steps are required to configure the DNS and SSL/TLS certificates, which are beyond the scope of this setup.