front-door-waf.md

title	Tutorial: Scale and protect a web app using Azure Front Door and Azure Web Application Firewall (WAF)
description	Learn how to use Azure Web Application Firewall with Azure Front Door to scale and protect your web app.
author	halkazwini
ms.author	halkazwini
ms.service	azure-frontdoor
ms.topic	tutorial
ms.date	11/18/2024
ms.custom	devx-track-azurecli build-2025

Tutorial: Quickly scale and protect a web application using Azure Front Door and Azure Web Application Firewall (WAF)

Applies to: ✔️ Front Door (classic)

[!INCLUDE Azure Front Door (classic) retirement notice]

Web applications often experience traffic surges and malicious attacks, such as denial-of-service attacks. Azure Front Door with Azure WAF can help scale your application and protect it from such threats. This tutorial guides you through configuring Azure Front Door with Azure WAF for any web app, whether it runs inside or outside of Azure.

We use the Azure CLI for this tutorial. You can also use the Azure portal, Azure PowerShell, Azure Resource Manager, or Azure REST APIs.

In this tutorial, you learn to:

[!div class="checklist"]

• Create a Front Door.
• Create an Azure WAF policy.
• Configure rule sets for a WAF policy.
• Associate a WAF policy with Front Door.
• Configure a custom domain.

Prerequisites

• An Azure account with an active subscription. Create an account for free.

• This tutorial uses the Azure CLI. Get started with the Azure CLI.

  [!TIP] An easy way to get started with the Azure CLI is using Bash in Azure Cloud Shell.

• Ensure the front-door extension is added to the Azure CLI:

  az extension add --name front-door
  

Note

For more information about the commands used in this tutorial, see the Azure CLI reference for Front Door.

Create an Azure Front Door resource

az network front-door create --backend-address <backend-address> --accepted-protocols <protocols> --name <name> --resource-group <resource-group>

• --backend-address: The fully qualified domain name (FQDN) of the application you want to protect, for example, myapplication.contoso.com.
• --accepted-protocols: Protocols supported by Azure Front Door, for example, --accepted-protocols Http Https.
• --name: The name of your Azure Front Door resource.
• --resource-group: The resource group for this Azure Front Door resource. Learn more about managing resource groups.

Note the hostName value from the response, as you need it later. The hostName is the DNS name of the Azure Front Door resource.

Create an Azure WAF profile for Azure Front Door

az network front-door waf-policy create --name <name> --resource-group <resource-group> --disabled false --mode Prevention

• --name: The name of the new Azure WAF policy.
• --resource-group: The resource group for this WAF resource.

The previous command creates a WAF policy in prevention mode.

Note

Consider creating the WAF policy in detection mode first to observe and log malicious requests without blocking them before switching to prevention mode.

Note the ID value from the response, as you need it later. The ID should be in this format:

/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/<WAF-policy-name>

Add managed rule sets to the WAF policy

Add the default rule set:

az network front-door waf-policy managed-rules add --policy-name <policy-name> --resource-group <resource-group> --type DefaultRuleSet --version 1.0

Add the bot protection rule set:

az network front-door waf-policy managed-rules add --policy-name <policy-name> --resource-group <resource-group> --type Microsoft_BotManagerRuleSet --version 1.0

• --policy-name: The name of your Azure WAF resource.
• --resource-group: The resource group for the WAF resource.

Associate the WAF policy with the Azure Front Door resource

az network front-door update --name <name> --resource-group <resource-group> --set frontendEndpoints[0].webApplicationFirewallPolicyLink='{"id":"<ID>"}'

• --name: The name of your Azure Front Door resource.
• --resource-group: The resource group for the Azure Front Door resource.
• --set: Update the WebApplicationFirewallPolicyLink attribute for the frontendEndpoint with the new WAF policy ID.

Note

If you're not using a custom domain, you can skip the next section. Provide your customers with the hostName obtained when you created the Azure Front Door resource.

Configure the custom domain for your web application

Update your DNS records to point the custom domain to the Azure Front Door hostName. Refer to your DNS service provider's documentation for specific steps. If you use Azure DNS, see update a DNS record.

For zone apex domains (for example, contoso.com), use Azure DNS and its alias record type.

Update your Azure Front Door configuration to add the custom domain.

To enable HTTPS for your custom domain, set up certificates in Azure Front Door.

Lock down your web application

Ensure only Azure Front Door edges can communicate with your web application. See How to lock down access to my backend to only Azure Front Door.

Clean up resources

When no longer needed, delete the resource group, Front Door, and WAF policy:

az group delete --name <resource-group>

• --name: The name of the resource group for all resources used in this tutorial.

Next steps

To troubleshoot your Front Door, see:

[!div class="nextstepaction"] Troubleshooting common routing issues