FrontDoor CDN with WAF, Domains and Logs to EventHub
A sample module to create Azure FrontDoor CDN profile.
- Create Azure FrontDoor Standard/Premium CDN Profile
- Create routes and associate them with domain, origin and ruleset(s).
- Create ruleSets. For example, with ModifyResponseHeader, RouteConfigurationOverride (Cache Override)
- Create waf with Custom rules in Block Mode. (In this example, blocking all method except GET, OPTIONS and HEAD)
- Create waf with managed rules in Log Mode.
- Attach waf as security policy to endpoint
- Dynamically create custom domain and their association
- Attach AFD provided managed certificate for TLS.
- Dynamically create Origin and Origin Group using array and their attachment with Routes, WAF policy etc.
- Create event namespace and hub
- Create Diagnostic Settings using eventHub for sending Azure FrontDoor CDN logs to event Hub.
Parameters
Name | Type | Required | Description |
---|---|---|---|
skuName | string | No | Name of Azure CDN SKU. One of Premium_AzureFrontDoor or Standard_AzureFrontDoor ( default = Premium_AzureFrontDoor ) |
envName | string | Yes | Environment Name. A user defined value. Example: stg , prod |
customDomains | array | Yes | Custom domain for CDN profile |
origins | array | Yes | List of Origins to send request for Cache Fill |
afdEndpointName | string | No | Name of the AFD Endpoint ( default = afd-cdn-${envName} ) |
enableAfdEndpoint | bool | No | Control flag for enabling or disabling CDN profile ( default = true ) |
cdnProfileName | string | No | Name of the AFD CDN Profile ( default = afd-cdn-${envName}-profile ) |
cdnProfileTags | object | No | Tags to be attached with resources ( default = {envName: ${envName}} ) |
eventHubName | string | No | EventHub instance name ( default = eventhub-${uniqueString(resourceGroup().id)} ) |
eventHubNamespace | string | No | EventHub namespace name ( default = '${eventHubName}-ns' ) |
eventHubLocation | string | No | Region to deploy EventHub ( default = resourceGroup().location ) |
wafPolicyMode | string | No | Policy Mode for WAF. One of Detection or Prevention ( default = Prevention ) |
wafPolicyName | string | No | Name of WAF Policy to be created ( default = FrontDoorCdn${envName}WAF ) |
enableRequestBodyCheck | bool | No | Enable request body inspection ( default = false ) |
enableWAFPolicy | bool | No | Control flag for enabling or disabling WAF security policy ( default = true ) |
wafBlockResponseBody | string | No | Response body to be returned by WAF on request block ( default = Access Denied by Firewall. ) |
wafBlockResponseCode | int | No | Response code to be returned by WAF on request block ( default = 403 ) |
Sample Schema for Arrays and Objects Parameters
cdnProfileTags:
{
"supportGroup": "support@example.com"
"env": "test"
}
customDomains:
[
{
"hostname": "static.example.com"
}
]
origins:
[
{
"hostname": "static-src.example.com",
"originGroupName": "static-src-origin-group",
"patternsToMatch": [
"/*"
],
"enabledState": true
}
]
where,
hostname
: Origin Hostname
originGroupName
: Name of origin group
patternsToMatch
: Array of patterns to match for path to send request to origin for a request path
enabledState
: Enable or disable origin
Output
Name | Type | Description |
---|---|---|
afdEndpointHostName | string | Azure FrontDoor CDN AFD Endpoint Name |
Directory Structure
.
├── README.md
├── azuredeploy.parameters.json
├── images
│ └── deployment.png
├── main.bicep
├── metadata.json
└── modules
├── diagnosticsettings.bicep
├── eventhub.bicep
├── profile.bicep
├── routes.bicep
├── rulesets.bicep
└── waf.bicep
- Directory
modules
contains base bicep files:diagnosticsettings.bicep
: Create diagnostic settings to send Azure cdn access logs to event hub.eventhub.bicep
: Create eventhub namespace and eventhub instance.profile.bicep
: Invoke modules to create cdn profile, rule sets, diagnostic settings and attach waf security policy.routes.bicep
: Create cdn routes for profile.rulesets.bicep
: Create rule sets that are required by CDN Profile.waf.bicep
: Create WAF with Managed and Custom rules that needs to be attached to CDN Profile as Security Policy.
main.bicep
provides an abstracted view to a user for creating CDN profile and waf attachment.
Tags: Microsoft.Cdn/profiles, Microsoft.Cdn/profiles/afdEndpoints, Microsoft.Cdn/profiles/afdendpoints/routes, Microsoft.Cdn/profiles/customdomains, Microsoft.Cdn/profiles/originGroups, Microsoft.Cdn/profiles/originGroups/origins, Microsoft.Cdn/profiles/rulesets, Microsoft.Cdn/profiles/rulesets/rules, Microsoft.Cdn/profiles/securitypolicies, Microsoft.EventHub/namespaces, Microsoft.EventHub/namespaces/AuthorizationRules, Microsoft.EventHub/namespaces/eventhubs, Microsoft.EventHub/namespaces/eventhubs/consumergroups, Microsoft.EventHub/namespaces/networkRuleSets, Microsoft.Insights/diagnosticSettings, Microsoft.Network/frontdoorwebapplicationfirewallpolicies, Premium_AzureFrontDoor, cdn