| title | Configure WAF custom rules and the Default Rule Set for Azure Front Door |
|---|---|
| description | Learn how to configure a web application firewall (WAF) policy that consists of custom and managed rules for an existing Azure Front Door endpoint. |
| author | halkazwini |
| ms.author | halkazwini |
| ms.service | azure-web-application-firewall |
| ms.topic | how-to |
| ms.date | 09/05/2019 |
| ms.custom | devx-track-azurepowershell |
A web application firewall (WAF) policy defines the inspections that are required when a request arrives at Azure Front Door.
This article shows how to configure a WAF policy that consists of some custom rules and has the Azure-managed Default Rule Set enabled.
If you don't have an Azure subscription, create a free account before you begin.
Before you begin to set up a rate limit policy, set up your PowerShell environment and create an Azure Front Door profile.
Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources.
You can install Azure PowerShell on your local machine and use it in any PowerShell session. Follow the instructions on the page to sign in with your Azure credentials. Then install the Az PowerShell module.
Connect-AzAccount
Before you install the Azure Front Door module, make sure you have the current version of PowerShellGet installed. Run the following command and reopen PowerShell.
Install-Module PowerShellGet -Force -AllowClobber
Install-Module -Name Az.FrontDoor
Create an Azure Front Door profile by following the instructions described in Quickstart: Create an Azure Front Door profile.
The following example shows how to configure a custom rule with two match conditions by using New-AzFrontDoorWafMatchConditionObject. Requests are from a specified site as defined by referrer, and the query string doesn't contain password.
$referer = New-AzFrontDoorWafMatchConditionObject -MatchVariable RequestHeader -OperatorProperty Equal -Selector "Referer" -MatchValue "www.mytrustedsites.com/referpage.html"
$password = New-AzFrontDoorWafMatchConditionObject -MatchVariable QueryString -OperatorProperty Contains -MatchValue "password"
$AllowFromTrustedSites = New-AzFrontDoorWafCustomRuleObject -Name "AllowFromTrustedSites" -RuleType MatchRule -MatchCondition $referer,$password -Action Allow -Priority 1
Create a rule blocking a PUT method by using New-AzFrontDoorWafCustomRuleObject.
$put = New-AzFrontDoorWafMatchConditionObject -MatchVariable RequestMethod -OperatorProperty Equal -MatchValue PUT
$BlockPUT = New-AzFrontDoorWafCustomRuleObject -Name "BlockPUT" -RuleType MatchRule -MatchCondition $put -Action Block -Priority 2
The following example creates a rule blocking requests with a URL that's longer than 100 characters by using Azure PowerShell.
$url = New-AzFrontDoorWafMatchConditionObject -MatchVariable RequestUri -OperatorProperty GreaterThanOrEqual -MatchValue 100
$URLOver100 = New-AzFrontDoorWafCustomRuleObject -Name "URLOver100" -RuleType MatchRule -MatchCondition $url -Action Block -Priority 3
The following example creates a managed Default Rule Set by using Azure PowerShell.
$managedRules = New-AzFrontDoorWafManagedRuleObject -Type DefaultRuleSet -Version 1.0
Find the name of the resource group that contains the Azure Front Door profile by using Get-AzResourceGroup. Next, configure a security policy with created rules in the previous steps by using New-AzFrontDoorWafPolicy in the specified resource group that contains the Azure Front Door profile.
$myWAFPolicy=New-AzFrontDoorWafPolicy -Name $policyName -ResourceGroupName $resourceGroupName -Customrule $AllowFromTrustedSites,$BlockPUT,$URLOver100 -ManagedRule $managedRules -EnabledState Enabled -Mode Prevention
Link the security policy object to an existing Azure Front Door front-end host and update Azure Front Door properties. First, retrieve the Azure Front Door object by using Get-AzFrontDoor.
Next, set the front-end WebApplicationFirewallPolicyLink property to the resourceId of the $myWAFPolicy$ created in the previous step by using Set-AzFrontDoor.
Note
For Azure Front Door Standard and Premium, you should use Get-AzFrontDoorCdnProfile.
The following example uses the resource group name myResourceGroupFD1 with the assumption that you've created the Azure Front Door profile by using instructions provided in Quickstart: Create an Azure Front Door. Also, in the following example, replace $frontDoorName with the name of your Azure Front Door profile.
$FrontDoorObjectExample = Get-AzFrontDoor `
-ResourceGroupName myResourceGroupFD1 `
-Name $frontDoorName
$FrontDoorObjectExample[0].FrontendEndpoints[0].WebApplicationFirewallPolicyLink = $myWAFPolicy.Id
Set-AzFrontDoor -InputObject $FrontDoorObjectExample[0]
Note
You only need to set the WebApplicationFirewallPolicyLink property once to link a security policy to an Azure Front Door front end. Subsequent policy updates are automatically applied to the front end.
- Learn more about Azure Front Door.
- Learn more about Azure Web Application Firewall on Azure Front Door.