Hi there

In this article will be configuring Azure Front Door with WAF () to block unauthorized access per Region (Geo-filtering)

Azure Front Door Service enables you to define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability.

Prerequisites

• For this article we used 01 VM (IAAS) size: Standard DS1 v2 (1 vcpus, 3.5 GiB memory) running default IIS site with a static Public IP address
• Take notes of the following:
  • VM DNS Name (each IAAS VM nas a DNS Name)
• You need our own DNS service to make changes need on CNAME entries

Azure Front Door will be replacing http/https direct access to the site (s) running on the Windows Server VM protecting its unauthorized access with WAF.

Setup Azure Front Door Service

• create the Azure Front Door resource on Azure
• Add a frontend host for Front Door
• Add application backend and backend pools
• Add a routing rule

How to set up a geo-filtering WAF policy for your Front Door

This feature allows you to block traffic from specific Country / Region i.e.: you want your application to be accessed only from Canada and U.S.A. and block from Brazil

• go on the Azure Front Door you created and select the “Web application firewall” blade and check it there is any policy in there
• go to the Azure market place and search for “Web Application Firewall (WAF)”
• create a new one
• at policy for:
• at subscription:
• at Resource Group:
• under instance details
  • policy name:
  • policy state: leave default (Enabled)
• after your WAF is created go to its resource and select custom rules blade
  • click on “+ add custom rule”
  • give a name at custom rule name:
  • leave status and rue type default options (enabled and match)
  • set priority to 1 (it can’t be blank)
  • under conditions
    • Match type: Geo-location
    • Match variable: RemoteAddres
    • Operation: select is
    • Country code: pick all countries you want to block (those countries won’t be able to reach site1.thebeier.com or site2.thebeier.com)
    • leave the default condition as Deny Traffic
      • click Add and hit SAVE on the next screen (the main screen for Custom Rules)

      
      
      
      
      
      
      
      

DNS changes

• Add a CNAME address pointing your site URL address to the Azure Front Door Host
  • Go to your DNS service management portal
  • add a CNAME to site1 under your domain thebeier.com (full URL site1.thebeier.com) pointing to Azure Front Door Frontend Host URL (leave TTL low to speed up your test)

Network Security Group

• Make changes on the VM Network security group
• this is how you block ANY ANY (Internet to VM) http/https access and allow only for Azure Front Door service tag on Azure NSG (Network Security Group)

Testing Azure Front Door and WAF policies

• Try to access your site from Canada and U.S.A. (result expected: access allowed)
  • I’m located in Toronto so I can reach site1.thebeier.com from my host (or vm on my laptop)
• Try to access your site from Brazil (result expected: access denied)
  • create a VM on Azure IAAS located in Brazil to have this test done or access ask anyone you know that’s in Brazil to access site1.thebeier.com

References
Azure Front Door https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq
WAF https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview

Thanks,

Thiago Beier