Azure Front Door Premium combines a global CDN with a fully managed Web Application Firewall (WAF). In the aftermath of Log4Shell, proper WAF configuration is no longer optional—it is a fundamental security control. In this comprehensive guide, I will walk through deploying Azure Front Door Premium with an enterprise-grade WAF policy, including managed rulesets, custom rules, rate limiting, and Bot Manager integration.
Architecture Overview
Azure Front Door operates at the edge, with Points of Presence (PoPs) distributed globally. Traffic flows through Microsoft’s global network before reaching your origin servers, providing both acceleration and protection.
flowchart LR
Client["Global Users"] --> POP["Azure Front Door PoP"]
POP --> WAF["WAF Policy"]
WAF --> Cache["CDN Cache"]
Cache --> Origin["Origin (App Service / AKS)"]
style WAF fill:#FFCDD2,stroke:#C62828
style POP fill:#E1F5FE,stroke:#0277BD
Deploying with Bicep
Infrastructure as Code is essential for security configuration. Here is a complete Bicep template for Azure Front Door Premium with WAF:
param frontDoorName string = 'myapp-fd'
param wafPolicyName string = 'myapp-waf'
resource wafPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' = {
name: wafPolicyName
location: 'global'
sku: {
name: 'Premium_AzureFrontDoor'
}
properties: {
policySettings: {
enabledState: 'Enabled'
mode: 'Prevention' // Block attacks, don't just detect
requestBodyCheck: 'Enabled'
}
managedRules: {
managedRuleSets: [
{
ruleSetType: 'Microsoft_DefaultRuleSet'
ruleSetVersion: '2.1'
}
{
ruleSetType: 'Microsoft_BotManagerRuleSet'
ruleSetVersion: '1.0'
}
]
}
customRules: {
rules: [
{
name: 'BlockHighRiskCountries'
priority: 100
ruleType: 'MatchRule'
matchConditions: [
{
matchVariable: 'RemoteAddr'
operator: 'GeoMatch'
matchValue: ['XX', 'YY'] // Country codes
}
]
action: 'Block'
}
{
name: 'RateLimitPerIP'
priority: 200
ruleType: 'RateLimitRule'
rateLimitThreshold: 1000
rateLimitDurationInMinutes: 1
matchConditions: [
{
matchVariable: 'RequestUri'
operator: 'Contains'
matchValue: ['/api/']
}
]
action: 'Block'
}
]
}
}
}
resource frontDoor 'Microsoft.Cdn/profiles@2022-11-01-preview' = {
name: frontDoorName
location: 'global'
sku: {
name: 'Premium_AzureFrontDoor'
}
}
resource securityPolicy 'Microsoft.Cdn/profiles/securityPolicies@2022-11-01-preview' = {
parent: frontDoor
name: 'security-policy'
properties: {
parameters: {
type: 'WebApplicationFirewall'
wafPolicy: {
id: wafPolicy.id
}
associations: [
{
domains: [
// Reference your custom domains here
]
patternsToMatch: ['/*']
}
]
}
}
}Managed Ruleset Deep Dive
Microsoft_DefaultRuleSet 2.1
This ruleset covers OWASP Top 10 vulnerabilities:
- SQL Injection: Detects SQLi patterns in query strings and body
- XSS: Blocks script injection attempts
- LFI/RFI: Prevents file inclusion attacks
- RCE: Blocks command injection, including Log4Shell patterns
- Protocol Violations: Enforces HTTP standards
Bot Manager
The Bot Manager ruleset classifies bots into categories:
- Good Bots: Search engines, monitoring services (allowed)
- Unknown Bots: Scrapers, automation tools (challenge with CAPTCHA)
- Bad Bots: Known attack tools, DDoS sources (blocked)
Monitoring and Tuning
WAF rules can generate false positives. Use Azure Monitor to analyze blocked requests:
AzureDiagnostics
| where ResourceType == "FRONTDOORS" and Category == "WebApplicationFirewallLog"
| where action_s == "Block"
| summarize count() by ruleName_s, requestUri_s
| order by count_ descIf a legitimate request is being blocked, create an exclusion rule for that specific rule ID and path.
Key Takeaways
- Deploy WAF in Prevention mode after initial tuning in Detection mode
- Use Microsoft_DefaultRuleSet 2.1 for OWASP coverage
- Enable Bot Manager to reduce scraping and DDoS impact
- Implement rate limiting for API endpoints
- Monitor blocked requests and tune exclusions
Discover more from C4: Container, Code, Cloud & Context
Subscribe to get the latest posts sent to your email.