|
| 1 | +--- |
| 2 | +title: Quickly scale and protect a web application using Azure Front Door and Azure Web Application Firewall (WAF) | Microsoft Docs |
| 3 | +description: This article helps you understand how to use Web Application Firewall with your AAzure Front Door Service |
| 4 | +services: frontdoor |
| 5 | +documentationcenter: '' |
| 6 | +author: tremansdoerfer |
| 7 | +ms.service: frontdoor |
| 8 | +ms.devlang: na |
| 9 | +ms.topic: article |
| 10 | +ms.tgt_pltfrm: na |
| 11 | +ms.workload: infrastructure-services |
| 12 | +ms.date: 05/06/2020 |
| 13 | +ms.author: rimansdo |
| 14 | +--- |
| 15 | + |
| 16 | +# Quickly scale and protect a web application using Azure Front Door and Azure Web Application Firewall (WAF) |
| 17 | + |
| 18 | +Many web applications have experienced rapid increase of traffic in recent weeks related to COVID-19. In addition, these web applications are also observing a surge in malicious traffic including denial of service attacks. An effective way to handle both these needs, scale out for traffic surges and protect from attacks, is to set up Azure Front Door with Azure WAF as an acceleration, caching and security layer in front of your web application. This article provides guidance on how to quickly get this Azure Front Door with Azure WAF setup for any web applications running in or outside of Azure. |
| 19 | + |
| 20 | +We will be using Azure CLI to set up the WAF in this tutorial, but all these steps are also fully supported in Azure portal, Azure PowerShell, Azure ARM, and Azure REST APIs. |
| 21 | + |
| 22 | +## Prerequisites |
| 23 | + |
| 24 | +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
| 25 | + |
| 26 | +The instructions in this blog use the Azure Command Line Interface (CLI). View this guide to [get started with Azure CLI](https://docs.microsoft.com/cli/azure/get-started-with-azure-cli?view=azure-cli-latest). |
| 27 | + |
| 28 | +*Tip: an easy & quick way to get started on Azure CLI is with [Bash in Azure Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/quickstart)* |
| 29 | + |
| 30 | +Ensure that the front-door extension is added to your Azure CLI |
| 31 | + |
| 32 | +```azurecli-interactive |
| 33 | +az extension add --name front-door |
| 34 | +``` |
| 35 | + |
| 36 | +Note: For more details of the commands listed below, refer to the [Azure CLI reference for Front Door](https://docs.microsoft.com/cli/azure/ext/front-door/?view=azure-cli-latest). |
| 37 | + |
| 38 | +## Step 1: Create an Azure Front Door (AFD) resource |
| 39 | + |
| 40 | + |
| 41 | +```azurecli-interactive |
| 42 | +az network front-door create --backend-address <> --accepted-protocols <> --name <> --resource-group <> |
| 43 | +``` |
| 44 | + |
| 45 | +**--backend-address**: The backend address is the Fully Qualified Domain Name (FQDN) name of the application you want to protect. For example, myapplication.contoso.com |
| 46 | + |
| 47 | +**--accepted-protocols**: The accepted protocols specifies what all protocols you want AFD to support for your web application. An example would be --accepted-protocols Http Https. |
| 48 | + |
| 49 | +**--name**: Specify a name for your AFD resource |
| 50 | + |
| 51 | +**--resource-group**: The resource group you want to place this AFD resource in. To learn more about resource groups, visit manage resource groups in Azure |
| 52 | + |
| 53 | +In the response you get from successfully executing this command, look for the key "hostName" and note down its value to be used in a later step. The hostName is the DNS name of the AFD resource you had created |
| 54 | + |
| 55 | +## Step 2: Create an Azure WAF profile to use with Azure Front Door resources |
| 56 | + |
| 57 | +```azurecli-interactive |
| 58 | +az network front-door waf-policy create --name <> --resource-group <> --disabled false --mode Prevention |
| 59 | +``` |
| 60 | + |
| 61 | +--name Specify a name for your Azure WAF policy |
| 62 | + |
| 63 | +--resource-group The resource group you want to place this WAF resource in. |
| 64 | + |
| 65 | +The CLI code above will create a WAF policy that is enabled and is in the Prevention mode. |
| 66 | + |
| 67 | +Note: you may also want to create the WAF in Detection mode and observe how it is detecting & logging malicious requests (and not blocking) before deciding to change to Protection mode. |
| 68 | + |
| 69 | +In the response you get from successfully executing this command, look for the key "ID" and note down its value to be used in a later step. The ID field should be in the format |
| 70 | + |
| 71 | +/subscriptions/**subscription id**/resourcegroups/**resource group name**/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/**WAF policy name** |
| 72 | + |
| 73 | +## Step 3: Add managed rulesets to this WAF policy |
| 74 | + |
| 75 | +In a WAF policy, you can add managed rulesets that are a set of rules built and managed by Microsoft and gives out of the box protection against entire classes of threats. In this example, we are adding two such rulesets (1) Default ruleset that protects against common web threats and (2) Bot protection ruleset, which protects against malicious bots |
| 76 | + |
| 77 | +(1) Add the default ruleset |
| 78 | + |
| 79 | +```azurecli-interactive |
| 80 | +az network front-door waf-policy managed-rules add --policy-name <> --resource-group <> --type DefaultRuleSet --version 1.0 |
| 81 | +``` |
| 82 | + |
| 83 | +(2) Add the bot manager ruleset |
| 84 | + |
| 85 | +```azurecli-interactive |
| 86 | +az network front-door waf-policy managed-rules add --policy-name <> --resource-group <> --type Microsoft_BotManagerRuleSet --version 1.0 |
| 87 | +``` |
| 88 | + |
| 89 | +--policy-name The name you gave for your Azure WAF resource |
| 90 | + |
| 91 | +--resource-group The resource group you had placed this WAF resource in. |
| 92 | + |
| 93 | +## Step 4: Associate the WAF policy with the AFD resource |
| 94 | + |
| 95 | +In this step, we will be associating the WAF policy we have built with the AFD resource that is in front of your web application. |
| 96 | + |
| 97 | +```azurecli-interactive |
| 98 | +az network front-door update --name <> --resource-group <> --set frontendEndpoints[0].webApplicationFirewallPolicyLink='{"id":"<>"}' |
| 99 | +``` |
| 100 | + |
| 101 | +--name The name you had specified for your AFD resource |
| 102 | + |
| 103 | +--resource-group The resource group you had placed the Azure Front Door resource in. |
| 104 | + |
| 105 | +--set This is where you update the attribute WebApplicationFirewallPolicyLink for the frontendEndpoint associated with your AFD resource with the newly built WAF policy. The ID of the WAF policy can be found from the response you got from step #2 above |
| 106 | + |
| 107 | +Note: the above example is for the case where you are not using a custom domain, if you are |
| 108 | + |
| 109 | +If you are not using any custom domains to access your web applications, you can skip step #5. In that case, you will be providing to your end users the hostname you obtained in step #1 to navigate to your web application |
| 110 | + |
| 111 | +## Step 5: Configure custom domain for your web application |
| 112 | + |
| 113 | +Initially the custom domain name of your web application (the one that customers use to refer to your application, for example, www.contoso.com) was pointing towards the place where you had it running before AFD was introduced. After this change of architecture adding AFD+WAF to front the application, the DNS entry corresponding to that custom domain should now point to this AFD resource. This can be done by remapping this entry in your DNS server to the AFD hostname you had noted in step #1. |
| 114 | + |
| 115 | +Specific steps to update your DNS records will depend on your DNS service provider, but if you are using Azure DNS to host your DNS name, you can refer to the documentation for [steps do update a DNS record](https://docs.microsoft.com/azure/dns/dns-operations-recordsets-cli) and point to the AFD hostName. |
| 116 | + |
| 117 | +One key thing to note here is that, if you need your users to navigate to your website using the zone apex, for exmaple, contoso.com, you have to use Azure DNS and it's [ALIAS record type](https://docs.microsoft.com/azure/dns/dns-alias) to host your DNS name. |
| 118 | + |
| 119 | +In addition, you also need to update your AFD configuration to [add this custom domain](https://docs.microsoft.com/azure/frontdoor/front-door-custom-domain) to it so that AFD understands this mapping. |
| 120 | + |
| 121 | +Finally, if you are using a custom domain to reach your web application and want to enable the HTTPS protocol, you need to have the [certificates for your custom domain setup in AFD](https://docs.microsoft.com/azure/frontdoor/front-door-custom-domain-https). |
| 122 | + |
| 123 | +## Step 6: Lock down your web application |
| 124 | + |
| 125 | +One optional best practice to follow is to ensure that only AFD edges can communicate with your web application. This action will ensure that no one can bypass the AFD protections and access your applications directly. You can accomplish this lock down by visiting the [FAQ section of AFD](https://docs.microsoft.com/azure/frontdoor/front-door-faq) and referring to the question regarding locking down backends for access only by AFD. |
0 commit comments