The Azure Front Door is a global OSI layer 7 service (Application Layer, i.e., HTTP/HTTPS) that provides reliability, resiliency, scalability, availability, and great performance to web-based services.

Three tiers are available in Azure Front Door: Standard, Premium, and Classic. For more details you can check Feature comparison between tiers

Comparing some key features between tiers

Standard, Premium, and Classic tiers are all support:

Some key features are only supported in the Standard and Premium tiers.

Azure Services that AFD Integrates

Azure Front Door integrates with several Azure services, i.e., DNS, Web Apps, Storage, Azure Monitor, Web Application Firewall, DevOps, etc.

Azure Front Door Demo

For demo purposes, I have deployed an Azure Front Door instance and two Web App services in different regions (West and North Europe).

Step 1. On the Compare offerings page, I select Custom create and click Continue to create a front door.

Step 2. On the Basics tab, enter the necessary values and click the button Next: Secrets > *

*This step requires no action. Move on to the next one.

Step 3. In the next step, type the name for the endpoint, i.e., {cloudopszone}

Info: Endpoint name is a globally unique name

Step 4. To configure the Web app origin, click the button + Add a route.

then add the route to the endpoint configuration, type a name for the origin group and add the two Azure Web Apps.

Step 5. The next step is to add a WAF policy to the Azure Front Door profile for one or more domains. As the steps to the images below show.

Step 6. To deploy the AFD profile, select Review + Create and then Create.

Info: Configurations should propagate to all edge locations within a few minutes following deployment.

Front Door WAF policy

Listed below are some settings for the Front Door WAF policy that can be updated.

Prevention modes

WAF policy has two modes, prevention and detection.

In prevention mode, the WAF performs the specified action if a match is found.

In detection mode, WAF monitors the web requests that are matched to WAF rules. In order to store these logs for a possible diagnosis, Log Diagnostics must be enabled.

Policy settings

Change the Block response body when the status code is 403, i.e., it should display “403 Forbidden“.

The error message that will appear on the page will be like the one in the image below.

For more details about WAF policy settings on Azure Front Door, please access this link: Policy settings for Web Application Firewall on Azure Front Door

Custom rules

Listed below are two custom rules that will control access to Web Apps based on defined conditions. One custom rule matches with a remote address IP and another with a match type String that matches with a specific Query string.

The image below displays the two custom rules’ status and other useful details such as Action, Priority, Rule type, and Name.


Related Links :


Share This