Securing web applications with Azure Front Door custom WAF rules
TypeScriptSecuring web applications on Azure using Azure Front Door with custom Web Application Firewall (WAF) rules involves creating a WAF policy and associating it with the Azure Front Door service. The WAF policy allows you to define custom rules that can protect your application from common threats like SQL injection, cross-site scripting, and other OWASP top 10 threats.
In Pulumi, this is achieved by defining resources such as
FrontdoorProfile
to represent the Azure Front Door service, andWebApplicationFirewallPolicy
for the WAF policy with custom rules. TheWebApplicationFirewallPolicy
resource allows you to establish detailed rules for filtering and inspecting the traffic that reaches your application.Below is a Pulumi program written in TypeScript that provides a starting point for creating an Azure Front Door instance with a custom WAF policy. Please note that the exact rules you need may depend on your application's specific requirements and threat model.
import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; // Define an Azure resource group where all resources will be placed const resourceGroup = new azure.core.ResourceGroup("resourceGroup", { location: "West US", }); // Create an Azure Front Door instance // Front Door is a scalable and secure entry point for fast delivery of your global applications const frontDoorProfile = new azure.cdn.FrontdoorProfile("frontDoorProfile", { resourceGroupName: resourceGroup.name, skuName: "Standard_AzureFrontDoor", // Use the appropriate SKU for your needs }); // Define Custom Web Application Firewall Rules const customWafRule = { name: "CustomRule1", action: "Block", priority: 1, ruleType: "MatchRule", matchConditions: [ { matchVariables: [ { variableName: "RemoteAddr", }, ], operator: "IPMatch", negationConditon: false, matchValues: [ "192.168.1.1/24", // Replace with the actual IP or CIDR you want to block ], }, ], }; // Create Web Application Firewall Policy with custom rules const wafPolicy = new azure.native.network.WebApplicationFirewallPolicy("wafPolicy", { location: resourceGroup.location, resourceGroupName: resourceGroup.name, customRules: [customWafRule], policySettings: { state: "Enabled", mode: "Prevention", }, managedRules: { managedRuleSets: [ { ruleSetType: "OWASP", ruleSetVersion: "3.1", ruleGroupOverrides: [ { ruleGroupName: "SQLInjection", rules: [ { ruleId: "942100", action: "Block" }, { ruleId: "942110", action: "Block" }, ], }, ], }, ], }, }); // Associate the WAF policy with the Front Door profile const association = new azure.cdn.FrontdoorWebApplicationFirewallPolicyAssociation("association", { resourceGroupName: resourceGroup.name, frontdoorName: frontDoorProfile.name, webApplicationFirewallPolicyId: wafPolicy.id, }); // Export the URL of the Front Door instance export const frontDoorUrl = frontDoorProfile.frontendEndpoints.apply(fe => fe[0].hostName);
In the above program:
- We import the necessary Pulumi and Azure SDK modules.
- We create an Azure resource group named
resourceGroup
that serves as a container for all the resources we're going to define. You can specify any location that is closest to your users. - We setup the
FrontdoorProfile
to create an instance of Azure Front Door. Here, we're using the "Standard_AzureFrontDoor" SKU. You might want to customize the SKU based on the performance and feature set required for your use case. - We define a custom WAF rule within the
customWafRule
object. This rule blocks traffic from a specified IP address range. You would replace thematchValues
with any IP addresses that you have determined to be potentially harmful to your application. - We define a
WebApplicationFirewallPolicy
namedwafPolicy
that references the resource group and includes the custom WAF rule we defined earlier. We also include managed rules, in this case, some OWASP rules for SQL injection. - We create an association between the WAF policy and the Front Door instance via a
FrontdoorWebApplicationFirewallPolicyAssociation
. This establishes the connection between the two, ensuring the WAF rules are applied to the traffic coming through Front Door. - Finally, we export the hostname of the Front Door instance, which represents the public URL that users would use to access your application.
This code gives you a basis to start from, but you may need to add more rules and configurations to fine-tune your WAF setup to best protect your application. Make sure to replace dummy or example values with actual settings that are relevant to your environment.
After deploying this Pulumi program, Azure Front Door will start serving your web application secured by the custom WAF rules you defined, providing protection against various security breaches and attacks.