Configuring Azure Front Door's WAF Policy Using PowerShell

Azure Front Door stands out as a robust, scalable entry point for web applications.

Let’s dive into how to configure Azure Front Door’s WAF policy using PowerShell¹, focusing on bot protection, exclusion lists, custom response codes, IP restrictions, data masking, rate limiting, and geo-filtering.

Table of Contents

What is Azure Front Door?

Azure Front Door is a cloud-based, globally distributed service that provides high availability, accelerated content delivery, and advanced threat protection for your web applications. It functions as a modern Content Delivery Network (CDN) and global load balancer.

Here are its key features:

Global Load Balancing: Distributes incoming traffic across multiple backend services to ensure high availability and reliability.
Web Application Firewall (WAF): Protects against common web vulnerabilities like SQL injection, cross-site scripting (XSS), and DDoS attacks.
SSL Termination: Ensures secure connections by terminating SSL/TLS at the edge, reducing the load on backend servers.
URL-based Routing: Directs traffic based on URL paths, enabling granular control over traffic distribution.

Azure Front Door is designed to optimize performance and security, making it an essential tool for any organization with web applications.

Integrating Azure Front Door with Actionable Threat Intelligence

Integrating actionable threat intelligence with Azure Front Door can significantly enhance its ability to block unwanted requests and protect against emerging threats. Here’s how you can achieve this:

Leverage Threat Intelligence Feeds

To start, subscribe to threat intelligence feeds from reputable sources. These feeds provide real-time information on known malicious IP addresses, domains, and URLs.

You can integrate these feeds into Azure Front Door by:

Custom Rules in WAF: Create custom rules in Azure Front Door’s Web Application Firewall (WAF) to block requests from known malicious IP addresses and domains. Regularly update these rules based on the latest threat intelligence feeds.
IP Reputation Blocking: Utilize IP reputation services to block traffic from IP addresses with a known history of malicious activity.

Automated Threat Intelligence Integration

Automate the integration of threat intelligence with Azure Front Door to ensure your defenses are always up-to-date.

This can be done by:

Security Information and Event Management (SIEM) Systems: Integrate Azure Front Door with your SIEM system to automatically ingest threat intelligence data and update WAF rules accordingly.
API Integration: Use APIs provided by threat intelligence providers to automatically fetch and apply the latest threat intelligence data to your WAF rules.

Prerequisites

Before we begin, ensure you have:

An active Azure subscription.
The Azure PowerShell module installed.
An Azure Front Door instance deployed.

Step 1: Configure WAF Policy

First, create a basic WAF policy. Creating a WAF policy is the first step in securing your web applications. This policy defines the rules and settings that will inspect, block, or allow traffic based on various criteria. By setting the WAF policy to “Prevention” mode, you ensure that malicious requests are blocked, not just monitored.

Log in to your Azure account

Connect-AzAccount

Create a WAF policy

$wafPolicy = New-AzFrontDoorWafPolicy -ResourceGroupName "YourResourceGroup" -Name "YourWafPolicyName" -Location "Global" -Mode "Prevention"

Step 2: Configure Bot Protection

Next, let’s enable bot protection² to block or log requests from known malicious bots.

Bot protection is crucial for blocking or logging requests from known malicious bots. These bots can perform various attacks, including scraping data, launching DDoS attacks, and probing for vulnerabilities. By enabling bot protection, you can automatically filter out these harmful requests.

Enable bot protection on the WAF policy

Set-AzFrontDoorWafPolicy -ResourceGroupName "YourResourceGroup" -Name "YourWafPolicyName" -BotProtection "Enabled"

Step 3: Configure Exclusion Lists

We can exclude specific requests³ from being inspected by the WAF.

Exclusion lists are important for ensuring that certain trusted requests are not blocked by the WAF. This is particularly useful for requests from internal systems, specific APIs, or known good bots that need access to your application. By configuring exclusion lists, you reduce false positives and ensure smooth operation for trusted sources.

Add an exclusion rule

Add-AzFrontDoorWafManagedRuleExclusion -ResourceGroupName "YourResourceGroup" -WafPolicyName "YourWafPolicyName" -MatchVariable "RequestHeaderNames" -Selector "User-Agent" -Operator "Equals" -Value "YourUserAgent" -MatchVariableType "Main"

Step 4: Configure Custom Response Code

Set custom response codes for blocked requests to provide more informative feedback to users or applications.

Setting custom response codes for blocked requests helps communicate why a request was denied. This can be particularly useful for debugging or for informing users and developers about specific security policies. Custom response codes can also be used to integrate with other systems or logging mechanisms.

Set custom response status code for WAF managed rule

Set-AzFrontDoorWafManagedRuleOverride -ResourceGroupName "YourResourceGroup" -WafPolicyName "YourWafPolicyName" -RuleGroupName "YourRuleGroupName" -RuleId "YourRuleId" -Action "Block" -CustomBlockResponseStatusCode 403

Step 5: Configure IP Restrictions

You can allow or block specific IP addresses to tighten your security.

IP restrictions are a powerful way to limit access to your applications. By allowing or blocking specific IP addresses or ranges, you can ensure that only trusted users can access your services. This is particularly useful for protecting administrative interfaces or limiting access to certain geographic regions.

Allow specific IP ranges

Add-AzFrontDoorWafCustomRule -ResourceGroupName "YourResourceGroup" -WafPolicyName "YourWafPolicyName" -Name "AllowSpecificIPs" -Priority 1 -RuleType "MatchRule" -MatchCondition "[{MatchVariable='RemoteAddr'; Operator='IPMatch'; MatchValue='192.168.1.1/32'}]" -Action "Allow"

Block specific IP ranges

Add-AzFrontDoorWafCustomRule -ResourceGroupName "YourResourceGroup" -WafPolicyName "YourWafPolicyName" -Name "BlockSpecificIPs" -Priority 2 -RuleType "MatchRule" -MatchCondition "[{MatchVariable='RemoteAddr'; Operator='IPMatch'; MatchValue='10.0.0.0/24'}]" -Action "Block"

Step 6: Mask Sensitive Data

Mask sensitive data in logs to prevent exposure of critical information.

Masking sensitive⁴ data helps protect critical information, such as authentication tokens and personal identifiers, from being exposed in logs.

This is crucial for compliance with data protection regulations and for minimizing the risk of data leaks. By masking sensitive data, you ensure that even if logs are accessed, sensitive information remains protected.

Enable data masking for specified fields

Add-AzFrontDoorWafCustomRule -ResourceGroupName "YourResourceGroup" -WafPolicyName "YourWafPolicyName" -Name "MaskSensitiveData" -Priority 3 -RuleType "MatchRule" -MatchCondition "[{MatchVariable='RequestHeaderNames'; Operator='Equals'; MatchValue='Authorization'}]" -Action "Mask"

Step 7: Configure Rate Limit

Limit the number of requests from a single IP to prevent abuse.

Rate limiting is essential for preventing abuse, such as brute force attacks or excessive scraping, which can degrade the performance of your application. By setting a threshold for the number of requests allowed from a single IP address, you can mitigate the risk of these attacks and ensure fair usage of your services.

Add a rate limit rule

Add-AzFrontDoorWafRateLimitRule -ResourceGroupName "YourResourceGroup" -WafPolicyName "YourWafPolicyName" -Name "RateLimit" -Priority 4 -MatchCondition "[{MatchVariable='RemoteAddr'; Operator='IPMatch'; MatchValue='*'}]" -Threshold 1000 -DurationInMinutes 1

Step 8: Configure Geo-Filtering WAF Policy

Block or allow traffic based on geographic location to mitigate region-specific threats.

Add a geo-filtering rule to block traffic from specific countries

Add-AzFrontDoorWafCustomRule -ResourceGroupName "YourResourceGroup" -WafPolicyName "YourWafPolicyName" -Name "GeoFilter" -Priority 5 -RuleType "MatchRule" -MatchCondition "[{MatchVariable='RemoteAddr'; Operator='GeoMatch'; MatchValue='US, CA'}]" -Action "Block"

Finalizing the Configuration

After setting up your WAF policy, associate it with your Front Door instance.

Get your Front Door instance

$frontDoor = Get-AzFrontDoor -ResourceGroupName "YourResourceGroup" -Name "YourFrontDoorName"

Update Front Door with the WAF policy

Set-AzFrontDoor -ResourceGroupName "YourResourceGroup" -Name "YourFrontDoorName" -WafPolicyId $wafPolicy.Id

Conclusion

Configuring Azure Front Door’s WAF policy using PowerShell can greatly enhance your web application’s security. By enabling features like bot protection, exclusion lists, custom response codes, IP restrictions, data masking, rate limiting, and geo-filtering, you can tailor your defenses to meet specific security needs.

I recommend regularly reviewing and updating your WAF policy to stay ahead of evolving threats. The best way to ensure robust protection is by staying informed and proactive in leveraging the full capabilities of Azure Front Door.

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules-powershell ↩︎
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection?pivots=portal ↩︎
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-exclusion-configure?pivots=portal ↩︎
https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-sensitive-data-protection-configure-frontdoor ↩︎

Configuring Azure Front Door’s WAF Policy Using PowerShell