0

I am trying to implement Azure Front Door Premium with a Web Application Firewall connection. I am able to create the Front Door both manually and through Bicep. However, when I try to connect to a WAF through Bicep, I'm not sure if it completely works.

The Bicep resource for my WAF looks like:

resource profiles_gbt_nprod_sandbox_FrontDoorTest_name_AzureFDTest_ac196269 'Microsoft.Cdn/profiles/securitypolicies@2020-09-01' = {
  parent: profiles_gbt_nprod_sandbox_FrontDoorTest_name_resource
  name: 'AzureFDTest-ac196269'
  properties: {
    parameters: {
      wafPolicy: {
        id: frontdoorwebapplicationfirewallpolicies_AzureFDTest_externalid
      }
      associations: [
        {
          domains: [
            {
              id: profiles_gbt_nprod_sandbox_FrontDoorTest_name_TestFDEndpoint.id
            }
          ]
          patternsToMatch: [
            '/*'
          ]
        }
      ]
      type: 'WebApplicationFirewall'
    }
  }
}

To get: AzureFDTest-ac196269 I created the Front Door through Bicep, then manually connected the AzureFDTest policy and it generated this name.

When this is run, it looks like it connects to my Front Door in the Endpoint Manager: enter image description here

But when I click on the AzureFDTest WAF policy it looks like: enter image description here

And AzureFDTest is not listed. If I was to manually connect the WAF, this drop down menu would say AzureFDTest. Is this still working as expected or is there an issue with the way I have the resource written?

Joy
  • 1,171
  • 9
  • 15
agw2021
  • 266
  • 2
  • 22
  • it may only be a ui issue, if you go to the export template blade, does that look like ok ? – Thomas Aug 18 '21 at 05:55

1 Answers1

0

You can connect an Azure Front Door Premium to a WAF in Bicep via a security policy as follows:

var frontdoorName = 'frontDoor'
var frontDoorSkuName = 'Premium_AzureFrontDoor'
var endpointName = 'endpoint'
var wafPolicyName = 'wafPolicy'
var securityPolicyName = 'securityPolicy'
param tags object

// Front Door CDN profile
resource profile 'Microsoft.Cdn/profiles@2020-09-01' = {
  name: frontdoorName
  location: 'global'
  sku: {
    name: frontDoorSkuName
  }
  tags: tags
}

// Azure Front Door endpoint
resource endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2020-09-01' = {
  parent: profile
  name: endpointName
  location: 'Global'
  tags: tags
  properties: {
    originResponseTimeoutSeconds: 60
    enabledState: 'Enabled'
  }
}

// WAF policy using Azure managed rule sets
resource wafPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2020-11-01' = {
  name: wafPolicyName
  location: 'global'
  tags: tags
  sku: {
    name: frontDoorSkuName
  }
  properties: {
    policySettings: {
      enabledState: 'Enabled'
      mode: 'Prevention'
    }
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'Microsoft_DefaultRuleSet'
          ruleSetVersion: '1.1'
        }
        {
          ruleSetType: 'Microsoft_BotManagerRuleSet'
          ruleSetVersion: '1.0'
        }
      ]
    }
  }
}

// Security policy for Front Door which defines the WAF policy linking
resource securityPolicy 'Microsoft.Cdn/profiles/securityPolicies@2020-09-01' = {
  parent: profile
  name: securityPolicyName
  properties: {
    parameters: {
      type: 'WebApplicationFirewall'
      wafPolicy: {
        id: wafPolicy.id
      }
      associations: [
        {
          domains: [
            {
              id: endpoint.id
            }
          ]
          patternsToMatch: [
            '/*'
          ]
        }
      ]
    }
  }
}

There is also an azure-quickstart-template available for this scenario:

Front Door Premium with Web Application Firewall and Microsoft-managed rule sets

Sebastiano Schwarz
  • 1,060
  • 2
  • 13
  • 32
  • New link: https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/front-door-premium-waf-managed/ – ErikEJ Dec 30 '22 at 08:24