Merge pull request #214215 from johndowns/front-door-origin-lockdown

v-dirichards · web-flow · commit 45d008864d99 · 2022-10-24T14:05:18.000-05:00
Front Door - Update guidance about restricting origin traffic
diff --git a/articles/frontdoor/TOC.yml b/articles/frontdoor/TOC.yml
@@ -213,6 +213,8 @@
         href: web-application-firewall.md
       - name: Geo-filtering
         href: ../web-application-firewall/afds/waf-front-door-geo-filtering.md?toc=/azure/frontdoor/toc.json
+      - name: Secure traffic to origins
+        href: origin-security.md
     - name: Protocol
       items:
       - name: HTTP/2
diff --git a/articles/frontdoor/best-practices.md b/articles/frontdoor/best-practices.md
@@ -8,7 +8,7 @@ ms.service: frontdoor
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: infrastructure-services
-ms.date: 07/10/2022
+ms.date: 10/25/2022
 ms.author: jodowns
 ---
 
@@ -28,6 +28,10 @@ If you combine both Front Door and Traffic Manager together, it's unlikely that
 
 If you need content caching and delivery (CDN), TLS termination, advanced routing capabilities, or a web application firewall (WAF), consider using Front Door. For simple global load balancing with direct connections from your client to your endpoints, consider using Traffic Manager. For more information about selecting a load balancing option, see [Load-balancing options](/azure/architecture/guide/technology-choices/load-balancing-overview).
 
+### Restrict traffic to your origins
+
+Front Door's features work best when traffic only flows through Front Door. You should configure your origin to block traffic that hasn't been sent through Front Door. For more information, see [Secure traffic to Azure Front Door origins](origin-security.md).
+
 ### Use the latest API version and SDK version
 
 When you work with Front Door by using APIs, ARM templates, Bicep, or Azure SDKs, it's important to use the latest available API or SDK version. API and SDK updates occur when new functionality is available, and also contain important security patches and bug fixes.
diff --git a/articles/frontdoor/front-door-faq.yml b/articles/frontdoor/front-door-faq.yml
@@ -7,7 +7,7 @@ metadata:
   ms.service: frontdoor
   ms.topic: faq
   ms.workload: infrastructure-services
-  ms.date: 09/14/2021
+  ms.date: 10/25/2022
 title: Frequently asked questions for Azure Front Door
 summary: |
   This article answers common questions about Azure Front Door features and functionality. If you don't see the answer to your question, you can contact us through the following channels (in escalating order):
@@ -95,65 +95,7 @@ sections:
       - question: |
           How do I lock down the access to my backend to only Azure Front Door?
         answer: |
-          > [!NOTE]
-          > New SKU Front Door Premium provides a more recommended way to lock down your application via Private Endpoint. [Learn more about Private Endpoint](private-link.md)
-          
-          To lock down your application to accept traffic only from your specific Front Door, you can set up IP ACLs for your backend or restrict the traffic on your backend to the specific value of the header 'X-Azure-FDID' sent by Front Door. These steps are detailed out as below:
-          
-          - Configure IP ACLing for your backends to accept traffic from Azure Front Door's backend IP address space and Azure's infrastructure services only. Refer the IP details below for ACLing your backend:
-           
-              - Refer *AzureFrontDoor.Backend* section in [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519) for Front Door's backend IP address range or you can also use the service tag *AzureFrontDoor.Backend* in your [network security groups](../virtual-network/network-security-groups-overview.md#security-rules).
-              - Azure's [basic infrastructure services](../virtual-network/network-security-groups-overview.md#azure-platform-considerations) through virtualized host IP addresses: `168.63.129.16` and `169.254.169.254`
-          
-              > [!WARNING]
-              > Front Door's backend IP space may change later, however, we will ensure that before that happens, that we would have integrated with [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519). We recommend that you subscribe to [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519) for any changes or updates.
-          
-          - Look for the `Front Door ID` value under the Overview section from Front Door portal page. You can then filter on the incoming header '**X-Azure-FDID**' sent by Front Door to your backend with that value to ensure only your own specific Front Door instance is allowed (because the IP ranges above are shared with other Front Door instances of other customers).
-          
-          - Apply rule filtering in your backend web server to restrict traffic based on the resulting 'X-Azure-FDID' header value. Note that some services like Azure App Service provide this [header based filtering](../app-service/app-service-ip-restrictions.md#restrict-access-to-a-specific-azure-front-door-instance) capability without needing to change your application or host.
-          
-            Here's an example for [Microsoft Internet Information Services (IIS)](https://www.iis.net/):
-          
-            ```xml
-            <?xml version="1.0" encoding="UTF-8"?>
-            <configuration>
-                <system.webServer>
-                    <rewrite>
-                        <rules>
-                            <rule name="Filter_X-Azure-FDID" patternSyntax="Wildcard" stopProcessing="true">
-                                <match url="*" />
-                                <conditions>
-                                    <add input="{HTTP_X_AZURE_FDID}" pattern="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" negate="true" />
-                                </conditions>
-                                <action type="AbortRequest" />
-                            </rule>
-                        </rules>
-                    </rewrite>
-                </system.webServer>
-            </configuration>
-            ```
-              
-            Here's an example for [AKS NGINX ingress controller](../aks/ingress-basic.md):
-            
-            ```yaml
-            apiVersion: networking.k8s.io/v1
-            kind: Ingress
-            metadata:
-              name: frontdoor-ingress
-              annotations:
-                kubernetes.io/ingress.class: nginx
-                nginx.ingress.kubernetes.io/enable-modsecurity: "true"
-                nginx.ingress.kubernetes.io/modsecurity-snippet: |
-                  SecRuleEngine On
-                  SecAuditLog /var/log/modsec_audit.log
-                  SecRule REQUEST_HEADERS:X-Azure-FDID "!@eq xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" "log,deny,id:107,status:403,msg:\'Traffic incoming from a different Frontdoor\'"
-            spec:
-              #section omitted on purpose
-            ```
-            
-          - Azure Front Door also supports the *AzureFrontDoor.Frontend* service tag, which provides the list of IP addresses that clients use when connecting to Front Door. You can use the *AzureFrontDoor.Frontend* service tag when you’re controlling the outbound traffic that should be allowed to connect to services deployed behind Azure Front Door. Azure Front Door also supports an additional service tag, *AzureFrontDoor.FirstParty*, to integrate internally with other Azure services. See [available service tags](../virtual-network/service-tags-overview.md#available-service-tags) for more details on Azure Front Door service tags use cases.
-          
-            If using Application Gateway as a backend to Azure Front Door, then the check on the `X-Azure-FDID` header can be done in a custom WAF rule.  For more information, see [Create and use Web Application Firewall v2 custom rules on Application Gateway](../web-application-firewall/ag/create-custom-waf-rules.md#example-7).
+          Front Door's features work best when traffic only flows through Front Door. You should configure your origin to block traffic that hasn't been sent through Front Door. For more information, see [Secure traffic to Azure Front Door origins](origin-security.md).
 
       - question: |
           Can the anycast IP change over the lifetime of my Front Door?
@@ -203,7 +145,17 @@ sections:
       - question: |
           Can I configure Azure CDN behind my Front Door profile or vice versa?
         answer:  |
-          Azure Front Door and Azure CDN can't be configured together because both services utilizes the same Azure edge sites when responding to requests. 
+          Azure Front Door and Azure CDN can't be configured together because both services utilize the same Azure edge sites when responding to requests. 
+
+      - question: |
+          Which network service tags does Front Door support?
+        answer:  |
+          Azure Front Door supports three service tags:
+          - The *AzureFrontDoor.Backend* service tag provides the list of IP addresses that Front Door uses to connect to your origins. You can use this service tag when you [secure traffic to your origins](origin-security.md).
+          - The *AzureFrontDoor.Frontend* service tag provides the list of IP addresses that clients use when connecting to Front Door. You can use the *AzureFrontDoor.Frontend* service tag when you’re controlling the outbound traffic that should be allowed to connect to services deployed behind Azure Front Door.
+          - The *AzureFrontDoor.FirstParty* service tag is used internally within Azure.
+          
+          See [available service tags](../virtual-network/service-tags-overview.md#available-service-tags) for more details on Azure Front Door service tags use cases.
 
   - name: Performance
     questions:
@@ -218,7 +170,7 @@ sections:
       - question: | 
           How does Front Door handle ‘domain fronting’ behavior? 
         answer: |
-          As of April 29, 2022, Microsoft has made a change to the behavior of Azure Front Door Standard/Premium/(classic) and Azure CDN from Microsoft (classic) in alignment with its commitment to stop allowing domain fronting behavior on its platform.  Once blocking domain fronting is enabled, AFD and CDN resources will block any HTTP request that exhibit this behavior.
+          As of April 29, 2022, Microsoft has made a change to the behavior of Azure Front Door Standard/Premium/(classic) and Azure CDN from Microsoft (classic) in alignment with its commitment to stop allowing domain fronting behavior on its platform.  Once blocking domain fronting is enabled, AFD and CDN resources will block any HTTP request that exhibits this behavior.
           If this behavior is enabled for your resource, requests where Host header in HTTP/HTTPS requests doesn't match the original TLS SNI extension used during the TLS negotiation, will be blocked.
           
           If you wish to block domain fronting for any existing Azure Front Door Standard and Premium, Azure Front Door (classic) and Azure CDN Standard from Microsoft (classic) resources or for new Azure Front Door Standard and Premium, Azure Front Door (classic) and Azure CDN Standard from Microsoft (classic) resources, please create a support request and provide your subscription and 
@@ -252,7 +204,7 @@ sections:
       - question: |
           What is the retention policy on the diagnostics logs?
         answer: |
-          Diagnostic logs flow to the customers storage account and customers can set the retention policy based on their preference. Diagnostic logs can also be sent to an Event Hub or Azure Monitor logs. For more information, see [Azure Front Door Diagnostics](front-door-diagnostics.md).
+          Diagnostic logs flow to the customers storage account and customers can set the retention policy based on their preference. Diagnostic logs can also be sent to an Event Hubs or Azure Monitor logs. For more information, see [Azure Front Door Diagnostics](front-door-diagnostics.md).
           
       - question: |
           How do I get audit logs for Azure Front Door?
diff --git a/articles/frontdoor/origin-security.md b/articles/frontdoor/origin-security.md
@@ -0,0 +1,134 @@
+---
+title: Secure traffic to origins - Azure Front Door
+description: This article explains how to restrict traffic to your origins to ensure it's been processed by Azure Front Door.
+services: front-door
+author: johndowns
+ms.service: frontdoor
+ms.topic: conceptual
+ms.workload: infrastructure-services
+ms.date: 10/25/2022
+ms.author: jodowns
+zone_pivot_groups: front-door-tiers
+---
+
+# Secure traffic to Azure Front Door origins
+
+Front Door's features work best when traffic only flows through Front Door. You should configure your origin to block traffic that hasn't been sent through Front Door. Otherwise, traffic might bypass Front Door's web application firewall, DDoS protection, and other security features.
+
+::: zone pivot="front-door-classic"
+
+> [!NOTE]
+> *Origin* and *origin group* in this article refers to the backend and backend pool of the Azure Front Door (classic) configuration.
+
+::: zone-end
+
+::: zone pivot="front-door-standard-premium"
+
+Front Door provides several approaches that you can use to restrict your origin traffic.
+
+## Private Link origins
+
+When you use the premium SKU of Front Door, you can use Private Link to send traffic to your origin. [Learn more about Private Link origins.](private-link.md)
+
+You should configure your origin to disallow traffic that doesn't come through Private Link. The way that you restrict traffic depends on the type of Private Link origin you use:
+
+- Azure App Service and Azure Functions automatically disable access through public internet endpoints when you use Private Link. For more information, see [Using Private Endpoints for Azure Web App](../app-service/networking/private-endpoint.md).
+- Azure Storage provides a firewall, which you can use to deny traffic from the internet. For more information, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md).
+- Internal load balancers with Azure Private Link service aren't publicly routable. You can also configure network security groups to ensure that you disallow access to your virtual network from the internet.
+
+::: zone-end
+
+## Public IP address-based origins
+
+When you use public IP address-based origins, there are two approaches you should use together to ensure that traffic flows through your Front Door instance:
+
+- Configure IP address filtering to ensure that requests to your origin are only accepted from the Front Door IP address ranges.
+- Configure your application to verify the `X-Azure-FDID` header value, which Front Door attaches to all requests to the origin, and ensure that its value matches your Front Door's identifier.
+
+### IP address filtering
+
+Configure IP address filtering for your origins to accept traffic from Azure Front Door's backend IP address space and Azure's infrastructure services only.
+
+The *AzureFrontDoor.Backend* service tag provides a list of the IP addresses that Front Door uses to connect to your origins. You can use this service tag within your [network security group rules](../virtual-network/network-security-groups-overview.md#security-rules). You can also download the [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519) data set, which is updated regularly with the latest IP addresses.
+
+You should also allow traffic from Azure's [basic infrastructure services](../virtual-network/network-security-groups-overview.md#azure-platform-considerations) through the virtualized host IP addresses `168.63.129.16` and `169.254.169.254`.
+
+> [!WARNING]
+> Front Door's IP address space changes regularly. Ensure that you use the *AzureFrontDoor.Backend* service tag instead of hard-coding IP addresses.
+
+### Front Door identifier
+
+IP address filtering alone isn't sufficient to secure traffic to your origin, because other Azure customers use the same IP addresses. You should also configure your origin to ensure that traffic has originated from *your* Front Door profile.
+
+Azure generates a unique identifier for each Front Door profile. You can find the identifier in the Azure portal, by looking for the *Front Door ID* value in the Overview page of your profile.
+
+When Front Door makes a request to your origin, it adds the `X-Azure-FDID` request header. Your origin should inspect the header on incoming requests, and reject requests where the value doesn't match your Front Door profile's identifier.
+
+### Example configuration
+
+The following examples show how you can secure different types of origins.
+
+# [App Service and Functions](#tab/app-service-functions)
+
+You can use [App Service access restrictions](../app-service/app-service-ip-restrictions.md#restrict-access-to-a-specific-azure-front-door-instance) to perform IP address filtering as well as header filtering. The capability is provided by the platform, and you don't need to change your application or host.
+
+# [Application Gateway](#tab/application-gateway)
+
+Application Gateway is deployed into your virtual network. Configure a network security group rule to allow inbound access on ports 80 and 443 from the *AzureFrontDoor.Backend* service tag, and disallow inbound traffic on ports 80 and 443 from the *Internet* service tag.
+
+Use a custom WAF rule to check the `X-Azure-FDID` header value.  For more information, see [Create and use Web Application Firewall v2 custom rules on Application Gateway](../web-application-firewall/ag/create-custom-waf-rules.md#example-7).
+
+# [IIS](#tab/iis)
+
+When you run [Microsoft Internet Information Services (IIS)](https://www.iis.net/) on an Azure-hosted virtual machine, you should create a network security group in the virtual network that hosts the virtual machine. Configure a network security group rule to allow inbound access on ports 80 and 443 from the *AzureFrontDoor.Backend* service tag, and disallow inbound traffic on ports 80 and 443 from the *Internet* service tag.
+
+Use an IIS configuration file like in the following example to inspect the `X-Azure-FDID` header on your incoming requests:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+  <system.webServer>
+    <rewrite>
+      <rules>
+        <rule name="Filter_X-Azure-FDID" patternSyntax="Wildcard" stopProcessing="true">
+          <match url="*" />
+          <conditions>
+            <add input="{HTTP_X_AZURE_FDID}" pattern="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" negate="true" />
+          </conditions>
+          <action type="AbortRequest" />
+        </rule>
+      </rules>
+    </rewrite>
+  </system.webServer>
+</configuration>
+```
+
+# [AKS NGINX controller](#tab/aks-nginx)
+
+When you run [AKS with an NGINX ingress controller](../aks/ingress-basic.md), you should create a network security group in the virtual network that hosts the AKS cluster. Configure a network security group rule to allow inbound access on ports 80 and 443 from the *AzureFrontDoor.Backend* service tag, and disallow inbound traffic on ports 80 and 443 from the *Internet* service tag.
+
+Use a Kubernetes ingress configuration file like in the following example to inspect the `X-Azure-FDID` header on your incoming requests:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: frontdoor-ingress
+  annotations:
+  kubernetes.io/ingress.class: nginx
+  nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+  nginx.ingress.kubernetes.io/modsecurity-snippet: |
+    SecRuleEngine On
+    SecAuditLog /var/log/modsec_audit.log
+    SecRule REQUEST_HEADERS:X-Azure-FDID "!@eq xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" "log,deny,id:107,status:403,msg:\'Traffic incoming from a different Frontdoor\'"
+spec:
+  #section omitted on purpose
+```
+
+---
+
+## Next steps
+
+- Learn how to configure a [WAF profile on Front Door](front-door-waf.md). 
+- Learn how to [create a Front Door](quickstart-create-front-door.md).
+- Learn [how Front Door works](front-door-routing-architecture.md).
