Share via

Using Azure CDN + WAF with a single point of entry

Jayson Truong 21 Reputation points
2020-11-17T05:17:01.343+00:00

I have setup Azure WAF and pointed it to Azure CDN.

I cannot figure out how to make sure all traffic goes through the CDN?

When I was experimenting with Azure Front Door, in the network security groups, I can select service "Service" then "Azure Front Door Backend."

Is there something like this for CDN?

If there is not, what is stopping people from going around the WAF by hitting the server's IP address directly?

Thanks in advance.

Azure Content Delivery Network
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. TravisCragg-MSFT 5,681 Reputation points Microsoft Employee
    2020-11-18T23:53:10.277+00:00

    If my understanding of your environment is correct, then you have an Azure Front Door with WAF that points to an Azure CDN.

    Just so you know, Azure Front Door contains a basic CDN, and Azure CDN can have a WAF. Depending upon what you are trying to accomplish, you might be able to remove one of those services.

    To have your CDN only accept requests that route through your Azure Front Door, you can deny requests that are not from the IP ranges of accepted requests to only come from Azure Front Door's IP Range. Azure Front Door's IP Range is found inside the general Azure Datacenter's IP Ranges Here. You can also deny the request if it does not contain one of the AFD specific headers.

    Azure CDN can filter the requests using the standard rules engine.

    0 comments
  2. Jayson Truong 21 Reputation points
    2020-11-19T01:45:17.183+00:00

    Thanks for responding.

    I ended up finding Azure CDN's IP block and restricted it using security groups at the virtual machine level so that the Virtual Machine only accepts requests from the CDN's IP addresses.

    It seems to do the job.

    What I would love to see is the security group can do the what it does for IP addresses (restrict by IP address) but with FQDN or DNS names.