Set up a geo-filtering WAF policy for Azure Front Door
This tutorial shows how to use Azure PowerShell to create a sample geo-filtering policy and associate the policy with your existing Azure Front Door front-end host. This sample geo-filtering policy blocks requests from all other countries or regions except the United States.
If you don't have an Azure subscription, create a free account now.
Before you begin to set up a geo-filter policy, set up your PowerShell environment and create an Azure Front Door profile.
Set up your PowerShell environment
Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources.
You can install Azure PowerShell on your local machine and use it in any PowerShell session. Follow the instructions on the page to sign in with your Azure credentials. Then install the Az PowerShell module.
Connect to Azure with an interactive dialog for sign-in
Install-Module -Name Az Connect-AzAccount
Make sure you have the current version of PowerShellGet installed. Run the following command and reopen PowerShell.
Install-Module PowerShellGet -Force -AllowClobber
Install the Az.FrontDoor module
Install-Module -Name Az.FrontDoor
Create an Azure Front Door profile
Create an Azure Front Door profile by following the instructions described in Quickstart: Create an Azure Front Door profile.
Define a geo-filtering match condition
Create a sample match condition that selects requests not coming from "US" by using New-AzFrontDoorWafMatchConditionObject on parameters when you create a match condition.
Two-letter country or region codes to country or region mapping are provided in What is geo-filtering on a domain for Azure Front Door?.
$nonUSGeoMatchCondition = New-AzFrontDoorWafMatchConditionObject ` -MatchVariable SocketAddr ` -OperatorProperty GeoMatch ` -NegateCondition $true ` -MatchValue "US"
Add a geo-filtering match condition to a rule with an action and a priority
nonUSBlockRule based on the match condition, an action, and a priority by using New-AzFrontDoorWafCustomRuleObject. A custom rule can have multiple match conditions. In this example,
Action is set to
Priority is set to
1, which is the highest priority.
$nonUSBlockRule = New-AzFrontDoorWafCustomRuleObject ` -Name "geoFilterRule" ` -RuleType MatchRule ` -MatchCondition $nonUSGeoMatchCondition ` -Action Block ` -Priority 1
Add rules to a policy
Find the name of the resource group that contains the Azure Front Door profile by using
Get-AzResourceGroup. Next, create a
geoPolicy object that contains
nonUSBlockRule by using New-AzFrontDoorWafPolicy in the specified resource group that contains the Azure Front Door profile. You must provide a unique name for the geo policy.
The following example uses the resource group name
myResourceGroupFD1 with the assumption that you've created the Azure Front Door profile by using instructions provided in Quickstart: Create an Azure Front Door. In the following example, replace the policy name
geoPolicyAllowUSOnly with a unique policy name.
$geoPolicy = New-AzFrontDoorWafPolicy ` -Name "geoPolicyAllowUSOnly" ` -resourceGroupName myResourceGroupFD1 ` -Customrule $nonUSBlockRule ` -Mode Prevention ` -EnabledState Enabled
Link a WAF policy to an Azure Front Door front-end host
Link the WAF policy object to the existing Azure Front Door front-end host. Update Azure Front Door properties.
To do so, first retrieve your Azure Front Door object by using Get-AzFrontDoor.
$geoFrontDoorObjectExample = Get-AzFrontDoor -ResourceGroupName myResourceGroupFD1 $geoFrontDoorObjectExample.FrontendEndpoints.WebApplicationFirewallPolicyLink = $geoPolicy.Id
Next, set the front-end
WebApplicationFirewallPolicyLink property to the resource ID of the geo policy by using Set-AzFrontDoor.
Set-AzFrontDoor -InputObject $geoFrontDoorObjectExample
You only need to set the
WebApplicationFirewallPolicyLink property once to link a WAF policy to an Azure Front Door front-end host. Subsequent policy updates are automatically applied to the front-end host.