Edit

Share via


Configure Cloudflare Web Application Firewall with Microsoft Entra External ID

In this article, you learn how to configure Cloudflare Web Application Firewall (Cloudflare WAF) to protect your organization from attacks, such as distributed denial of service (DDoS), malicious bots, Open Worldwide Application Security Project (OWASP) Top-10 security risks, and others.

Prerequisites

To get started, you need:

Learn about tenants and securing apps for consumers and customers with Microsoft Entra External ID.

Scenario description

  • Microsoft Entra External ID tenant – The identity provider (IdP) and authorization server that verifies user credentials with custom policies defined for the tenant.
  • Azure Front Door – Enables custom URL domains for Microsoft Entra External ID. Traffic to custom URL domains goes through Cloudflare WAF, it then goes to AFD, and then to the Microsoft Entra External ID tenant.
  • Cloudflare WAF – Security controls to protect traffic to the authorization server.

Enable custom URL domains

The first step is to enable custom domains with AFD. Use the instructions in, Enable custom URL domains for apps in external tenants.

Create a Cloudflare account

  1. Go to Cloudflare.com/plans to create an account.
  2. To enable WAF, on the Application Services tab, select Pro.

Configure the domain name server (DNS)

Enable WAF for a domain.

  1. In the DNS console, for CNAME, enable the proxy setting.

    Screenshot of CNAME options.

  2. Under DNS, for Proxy status, select Proxied.

  3. The status turns orange.

    Screenshot of proxied status.

Note

Azure Front Door-managed certificates aren't automatically renewed if your custom domain’s CNAME record points to a DNS record other than the Azure Front Door endpoint’s domain (for example, when using a third-party DNS service like Cloudflare). To renew the certificate in such cases, follow the instructions in the Renew Azure Front Door-managed certificates article.

Cloudflare security controls

For optimal protection, we recommend you enable Cloudflare security controls.

DDoS protection

  1. Go to the Cloudflare dashboard.

  2. Expand the Security section.

  3. Select DDoS.

  4. A message appears.

    Screenshot of DDoS protection message.

Bot protection

  1. Go to the Cloudflare dashboard.

  2. Expand the Security section.

  3. Under Configure Super Bot Fight Mode, for Definitely automated, select Block.

  4. For Likely automated, select Managed Challenge.

  5. For Verified bots, select Allow.

    Screenshot of bot protection options.

Firewall rules: Traffic from the Tor network

We recommend you block traffic that originates from the Tor proxy network, unless your organization needs to support the traffic.

Note

If you can't block Tor traffic, select Interactive Challenge, not Block.

Block traffic from the Tor network

  1. Go to the Cloudflare dashboard.

  2. Expand the Security section.

  3. Select WAF.

  4. Select Create rule.

  5. For Rule name, enter a relevant name.

  6. For If incoming requests match, for Field, select Continent.

  7. For Operator, select equals.

  8. For Value, select Tor.

  9. For Then take action, select Block.

  10. For Place at, select First.

  11. Select Deploy.

    Screenshot of the create rule dialog.

Note

You can add custom HTML pages for visitors.

Firewall rules: Traffic from countries or regions

We recommended strict security controls on traffic from countries or regions where business is unlikely to occur, unless your organization has a business reason to support traffic from all countries or regions.

Note

If you can't block traffic from a country or region, select Interactive Challenge, not Block.

Block traffic from countries or regions

For the following instructions, you can add custom HTML pages for visitors.

  1. Go to the Cloudflare dashboard.

  2. Expand the Security section.

  3. Select WAF.

  4. Select Create rule.

  5. For Rule name, enter a relevant name.

  6. For If incoming requests match, for Field, select Country or Continent.

  7. For Operator, select equals.

  8. For Value, select the country or continent to block.

  9. For Then take action, select Block.

  10. For Place at, select Last.

  11. Select Deploy.

    Screenshot of the name field on the create rule dialog.

OWASP and managed rulesets

  1. Select Managed rules.

  2. For Cloudflare Managed Ruleset, select Enabled.

  3. For Cloudflare OWASP Core Ruleset, select Enabled.

    Screenshot of rule sets.

Next steps