3 min read
Azure Front Door WAF: Web Application Firewall
Web Application Firewall on Azure Front Door protects web applications from common attacks. SQL injection, XSS, and OWASP top 10—blocked at the edge.
WAF Policy
# Create WAF policy
az network front-door waf-policy create \
--name myWAFPolicy \
--resource-group myRG \
--mode Prevention \
--sku Premium_AzureFrontDoorManaged Rule Sets
# Add OWASP rule set
az network front-door waf-policy managed-rules add \
--policy-name myWAFPolicy \
--resource-group myRG \
--type Microsoft_DefaultRuleSet \
--version 2.1
# Add bot protection
az network front-door waf-policy managed-rules add \
--policy-name myWAFPolicy \
--resource-group myRG \
--type Microsoft_BotManagerRuleSet \
--version 1.0Rule Set Categories
| Category | Protection |
|---|---|
| SQL Injection | SELECT * FROM; DROP TABLE |
| XSS | <script>alert(1)</script> |
| Local File Inclusion | ../../../etc/passwd |
| Remote Code Execution | Shell commands |
| Protocol Violations | Malformed requests |
| Bot Protection | Bad bots, crawlers |
Custom Rules
# Block specific IPs
az network front-door waf-policy rule create \
--policy-name myWAFPolicy \
--resource-group myRG \
--name BlockBadIPs \
--priority 100 \
--rule-type MatchRule \
--action Block \
--match-conditions '[{
"matchVariable": "RemoteAddr",
"operator": "IPMatch",
"matchValue": ["192.0.2.0/24", "198.51.100.0/24"]
}]'Rate Limiting
# Rate limit by IP
az network front-door waf-policy rule create \
--policy-name myWAFPolicy \
--resource-group myRG \
--name RateLimitByIP \
--priority 200 \
--rule-type RateLimitRule \
--action Block \
--rate-limit-threshold 1000 \
--rate-limit-duration-in-minutes 1 \
--match-conditions '[{
"matchVariable": "RequestUri",
"operator": "Contains",
"matchValue": ["/api/"]
}]'Geo-Filtering
# Block specific countries
az network front-door waf-policy rule create \
--policy-name myWAFPolicy \
--resource-group myRG \
--name GeoBlock \
--priority 300 \
--rule-type MatchRule \
--action Block \
--match-conditions '[{
"matchVariable": "SocketAddr",
"operator": "GeoMatch",
"matchValue": ["CN", "RU", "KP"]
}]'Rule Exclusions
{
"exclusions": [
{
"matchVariable": "RequestHeaderNames",
"selectorMatchOperator": "Equals",
"selector": "x-custom-header"
},
{
"matchVariable": "RequestBodyPostArgNames",
"selectorMatchOperator": "StartsWith",
"selector": "ignore_"
}
]
}Associate with Front Door
# Link WAF policy to Front Door endpoint
az afd security-policy create \
--profile-name myFrontDoor \
--resource-group myRG \
--security-policy-name mySecurityPolicy \
--domains /subscriptions/.../afdEndpoints/myEndpoint \
--waf-policy /subscriptions/.../FrontDoorWebApplicationFirewallPolicies/myWAFPolicyMonitoring and Logs
// WAF logs query
AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where action_s == "Block"
| project
TimeGenerated,
clientIP_s,
requestUri_s,
ruleName_s,
details_msg_s
| order by TimeGenerated desc
| take 100Detection vs Prevention
# Detection mode (log only)
az network front-door waf-policy update \
--name myWAFPolicy \
--resource-group myRG \
--mode Detection
# Prevention mode (block attacks)
az network front-door waf-policy update \
--name myWAFPolicy \
--resource-group myRG \
--mode PreventionBest Practices
- Start in Detection mode
- Analyze logs for false positives
- Create exclusions as needed
- Switch to Prevention mode
- Monitor continuously
Front Door WAF: your first line of defense.