MicrosoftDocs
diff --git a/‎articles/web-application-firewall/afds/waf-front-door-configure-ip-restriction.md
Lines changed: 70 additions & 9 deletions b/‎articles/web-application-firewall/afds/waf-front-door-configure-ip-restriction.md
Lines changed: 70 additions & 9 deletions
diff --git a/‎articles/web-application-firewall/media/waf-front-door-configure-ip-restriction/custom-rule.png
39.1 KB b/‎articles/web-application-firewall/media/waf-front-door-configure-ip-restriction/custom-rule.png
39.1 KB
diff --git a/‎articles/web-application-firewall/media/waf-front-door-configure-ip-restriction/waf-rule-test.png
16.9 KB b/‎articles/web-application-firewall/media/waf-front-door-configure-ip-restriction/waf-rule-test.png
16.9 KB
@@ -5,17 +5,76 @@ services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
 ms.topic: article
-ms.date: 08/21/2019
-ms.author: victorh
-ms.reviewer: tyao
+ms.date: 03/26/2020
+ms.author: tyao
 ---
 
 # Configure an IP restriction rule with a Web Application Firewall for Azure Front Door
-This article shows you how to configure IP restriction rules in a Web Application Firewall (WAF) for Azure Front Door by using the Azure CLI, Azure PowerShell, or an Azure Resource Manager template.
+
+This article shows you how to configure IP restriction rules in a Web Application Firewall (WAF) for Azure Front Door by using the Azure portal, Azure CLI, Azure PowerShell, or an Azure Resource Manager template.
 
 An IP address–based access control rule is a custom WAF rule that lets you control access to your web applications. It does this by specifying a list of IP addresses or IP address ranges in Classless Inter-Domain Routing (CIDR) format.
 
-By default, your web application is accessible from the internet. If you want to limit access to clients from a list of known IP addresses or IP address ranges, you may create an IP matching rule that contains the list of IP addresses as matching values and sets operator to "Not" (negate is true) and the action to **Block**. After an IP restriction rule is applied, requests that originate from addresses outside this allowed list receive a 403 Forbidden response.  
+By default, your web application is accessible from the Internet. If you want to limit access to clients from a list of known IP addresses or IP address ranges, you may create an IP matching rule that contains the list of IP addresses as matching values and sets operator to "Not" (negate is true) and the action to **Block**. After an IP restriction rule is applied, requests that originate from addresses outside this allowed list receive a 403 Forbidden response.
+
+## Configure a WAF policy with the Azure portal
+
+### Prerequisites
+
+Create an Azure Front Door profile by following the instructions described in [Quickstart: Create a Front Door for a highly available global web application](../../frontdoor/quickstart-create-front-door.md).
+
+### Create a WAF policy
+
+1. On the Azure portal, select **Create a resource**,  type  **Web application firewall** in the search box, and then select **Web Application Firewall (WAF)**.
+2. Select **Create**.
+3. On the **Create a WAF policy** page, use the following values to complete the **Basics** tab:
+   
+   |Setting  |Value  |
+   |---------|---------|
+   |Policy for     |Global WAF (Front Door)|
+   |Subscription     |Select your subscription|
+   |Resource group     |Select the resource group where your Front Door is.|
+   |Policy name     |Type a name for your policy|
+   |Policy state     |Enabled|
+
+   Select **Next: Policy settings**
+
+1. On the **Policy settings** tab, select **Prevention**. For the **Block response body**, type *You've been blocked!* so you can see that your custom rule is in effect.
+2. Select **Next: Managed rules**.
+3. Select **Next: Custom rules**.
+4. Select **Add custom rule**.
+5. On the **Add custom rule** page, use the following test values to create a custom rule:
+
+   |Setting  |Value  |
+   |---------|---------|
+   |Custom rule name     |FdWafCustRule|
+   |Status     |Enabled|
+   |Rule type     |Match|
+   |Priority    |100|
+   |Match type     |IP address|
+   |Match variable|RemoteAddr|
+   |Operation|Does not contain|
+   |IP address or range|10.10.10.0/24|
+   |Then|Deny traffic|
+
+   :::image type="content" source="../media/waf-front-door-configure-ip-restriction/custom-rule.png" alt-text="Custom rule":::
+
+   Select **Add**.
+6. Select **Next: Association**.
+7. Select **Add frontend host**.
+8. For **Frontend host**, select your frontend host and select **Add**.
+9. Select **Review + create**.
+10. After your policy validation passes, select **Create**.
+
+### Test your WAF policy
+
+1. After your WAF policy deployment completes, browse to your Front Door frontend host name.
+2. You should see your custom block message.
+
+   :::image type="content" source="../media/waf-front-door-configure-ip-restriction/waf-rule-test.png" alt-text="WAF rule test":::
+
+   > [!NOTE]
+   > A private IP address was intentionally used in the custom rule to guarantee the rule would trigger. In an actual deployment, create *allow* and *deny* rules using IP addresses for your particular situation.
 
 ## Configure a WAF policy with the Azure CLI
 
@@ -48,7 +107,9 @@ In the following examples:
 -  Replace *IPAllowPolicyExampleCLI* with your unique policy created earlier.
 -  Replace *ip-address-range-1*, *ip-address-range-2* with your own range.
 
-First, create an IP allow rule for the policy created from the previous step. Note **--defer** is required because a rule must have a match condition to be added in the next step.
+First, create an IP allow rule for the policy created from the previous step. 
+> [!NOTE]
+> **--defer** is required because a rule must have a match condition to be added in the next step.
 
 ```azurecli
 az network front-door waf-policy rule create \
@@ -138,7 +199,7 @@ $IPMatchCondition = New-AzFrontDoorWafMatchConditionObject `
 
 Use the [New-AzFrontDoorWafCustomRuleObject](/powershell/module/Az.FrontDoor/New-azfrontdoorwafcustomruleobject) command to define an action and set a priority. In the following example, requests not from client IPs that match the list will be blocked.
 
-```powershell
+```azurepowershell
 $IPAllowRule = New-AzFrontDoorWafCustomRuleObject `
 -Name "IPAllowRule" `
 -RuleType MatchRule `
@@ -149,7 +210,7 @@ $IPAllowRule = New-AzFrontDoorWafCustomRuleObject `
 ### Configure a WAF policy
 Find the name of the resource group that contains the Azure Front Door profile by using `Get-AzResourceGroup`. Next, configure a WAF policy with the IP rule by using [New-AzFrontDoorWafPolicy](/powershell/module/az.frontdoor/new-azfrontdoorwafpolicy).
 
-```powershell
+```azurepowershell
   $IPAllowPolicyExamplePS = New-AzFrontDoorWafPolicy `
     -Name "IPRestrictionExamplePS" `
     -resourceGroupName <resource-group-name> `
@@ -162,7 +223,7 @@ Find the name of the resource group that contains the Azure Front Door profile b
 
 Link a WAF policy object to an existing front-end host and update Azure Front Door properties. First, retrieve the Azure Front Door object by using [Get-AzFrontDoor](/powershell/module/Az.FrontDoor/Get-AzFrontDoor). Next, set the **WebApplicationFirewallPolicyLink** property to the resource ID of *$IPAllowPolicyExamplePS*, created in the previous step, by using the [Set-AzFrontDoor](/powershell/module/Az.FrontDoor/Set-AzFrontDoor) command.
 
-```powershell
+```azurepowershell
   $FrontDoorObjectExample = Get-AzFrontDoor `
     -ResourceGroupName <resource-group-name> `
     -Name $frontDoorName