Azure Front Door - Firewall - Custom Rule

Question

Azure Front Door - Firewall - Custom Rule

Nick Capito 0

I'm working on setting up a custom rule to block some requests. Everything I read online is that i should be able to create this rule as follows:

User's image

However it doesn't work unless i fully qualify it..

Looking for someone to confirm that we have to fully qualify to match on requesturi?

Sai Prasanna Sinde 5,795 Reputation points Microsoft External Staff Moderator

2025-05-12T05:02:49.33+00:00

Hi @Nick Capito

Could you review my previous response and let us know if it was helpful? If you have any further questions, please leave a comment so we can address them.
Nick Capito 0 Reputation points

2025-05-12T13:23:02.59+00:00

@Sai Prasanna Sinde thank you for the response and confirming. It would be great if the documentation reflected this and when sites use multiple custom domains it makes adding custom rules nearly impossible. Not having the ability to target a relative path is a pain. I had to switch to contains but that isn't a very scalable solution for us because we use 20+ domains.
Sai Prasanna Sinde 5,795 Reputation points Microsoft External Staff Moderator

2025-05-13T05:29:40.74+00:00

Hi @Nick Capito

To achieve relative path matching across multiple domains in Azure Front Door WAF is often by using the Regex (Regular Expression) operator with the RequestUri variable. You can craft a regex pattern that specifically targets the path segment you care about, regardless of the preceding domain name.

While it's true Azure Front Door WAF doesn't offer a simple RequestPath variable, using the RequestUri variable with the Regex operator and a carefully crafted pattern is the standard and most effective way to implement relative path matching that works consistently across multiple custom domains. It provides the precision that Contains often lacks. Please try to test thoroughly in Detection mode first.

If you wish, you can submit feedback directly in the Azure feedback forum regarding this feature based on your requirements.

Your feedback is important so please take a moment to Accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Thank you for helping to improve Microsoft Q&A!

1 answer

Your answer

Sai Prasanna Sinde 5,795 Reputation points Microsoft External Staff Moderator

2025-05-12T05:02:49.33+00:00

Hi @Nick Capito

Could you review my previous response and let us know if it was helpful? If you have any further questions, please leave a comment so we can address them.
Nick Capito 0 Reputation points

2025-05-12T13:23:02.59+00:00

@Sai Prasanna Sinde thank you for the response and confirming. It would be great if the documentation reflected this and when sites use multiple custom domains it makes adding custom rules nearly impossible. Not having the ability to target a relative path is a pain. I had to switch to contains but that isn't a very scalable solution for us because we use 20+ domains.
Sai Prasanna Sinde 5,795 Reputation points Microsoft External Staff Moderator

2025-05-13T05:29:40.74+00:00

Hi @Nick Capito

To achieve relative path matching across multiple domains in Azure Front Door WAF is often by using the Regex (Regular Expression) operator with the RequestUri variable. You can craft a regex pattern that specifically targets the path segment you care about, regardless of the preceding domain name.

While it's true Azure Front Door WAF doesn't offer a simple RequestPath variable, using the RequestUri variable with the Regex operator and a carefully crafted pattern is the standard and most effective way to implement relative path matching that works consistently across multiple custom domains. It provides the precision that Contains often lacks. Please try to test thoroughly in Detection mode first.

If you wish, you can submit feedback directly in the Azure feedback forum regarding this feature based on your requirements.

Your feedback is important so please take a moment to Accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Thank you for helping to improve Microsoft Q&A!

Answer 1

Hi @Nick Capito

As per our understanding Azure Front Door WAF custom rules evaluate the RequestUri match variable, which comprehensively includes the full URI: scheme, FQDN, port, path, and any query string parameters.

A FQDN is required for matching, or if partial paths are sufficient, is resolved by understanding the pivotal role of match operators.

The FQDN is always present in the RequestUri string that the WAF engine evaluates.
However, the match_values specified in a custom rule do not need to contain the FQDN if an appropriate operator supporting partial or substring matching is utilized. These operators allow for effective matching on partial paths or other URI segments.
Conversely, if the Equals operator is used, the match values must precisely mirror the entire RequestUri, including the FQDN, scheme, path, and query string, for a match to occur.

Carefully choose the match operator (Equals, Contains, BeginsWith, EndsWith, Regex) that precisely reflects the intended matching logic for the specific part of the URI being targeted.

Be aware of any string transforms (Lowercase, Urldecode) applied to the RequestUri variable, as they alter the string before matching occurs. Ensure match values are consistent with the transformed string.

Understand and meticulously plan rule priorities, especially when Allow and Block actions for overlapping URI patterns are involved, as rule processing order and termination are critical.

Always test new or modified rules in Detection mode before enabling Prevention mode to avoid unintended consequences on legitimate traffic.

Leverage Azure Front Door WAF logs, particularly the requestUris field, to verify rule behavior and troubleshoot any discrepancies.

NOTE: Please try to give the operator as "Equals" and give the match value as "https://malicous.com/testblock" and repro the issue once.

Please refer the below documents for more information:

Kindly let us know if the above helps or you need further assistance on this issue.

Share via

Azure Front Door - Firewall - Custom Rule

1 answer

Your answer