Muokkaa

Jaa


Configure an IP restriction rule with a WAF for Azure Front Door

This article shows you how to configure IP restriction rules in a web application firewall (WAF) for Azure Front Door by using the Azure portal, the Azure CLI, Azure PowerShell, or an Azure Resource Manager template.

An IP address–based access control rule is a custom WAF rule that lets you control access to your web applications. The rule specifies a list of IP addresses or IP address ranges in Classless Inter-Domain Routing (CIDR) format.

There are two types of match variables in an IP address match: RemoteAddr and SocketAddr. The RemoteAddr variable is the original client IP that's usually sent via the X-Forwarded-For request header. The SocketAddr variable is the source IP address the WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.

By default, your web application is accessible from the internet. If you want to limit access to clients from a list of known IP addresses or IP address ranges, you can create an IP matching rule that contains the list of IP addresses as matching values and sets the operator to Not (negate is true) and the action to Block. After an IP restriction rule is applied, requests that originate from addresses outside this allowed list receive a 403 Forbidden response.

Configure a WAF policy

Follow these steps to configure a WAF policy using the Azure portal.

Prerequisites

Create an Azure Front Door profile by following the instructions described in Quickstart: Create an Azure Front Door instance for a highly available global web application.

Create a WAF policy

  1. On the Azure portal, select Create a resource. Enter Web application firewall in the Search services and marketplace search box and select Enter. Then select Web Application Firewall (WAF).

  2. Select Create.

  3. On the Create a WAF policy page, use the following values to complete the Basics tab.

    Setting Value
    Policy for Global WAF (Front Door).
    Front door tier Select Premium or Standard to match your Azure Front Door tier.
    Subscription Select your subscription.
    Resource group Select the resource group where your Azure Front Door instance is located.
    Policy name Enter a name for your policy.
    Policy state Selected
    Policy mode Prevention
  4. Select Next: Managed rules.

  5. Select Next: Policy settings.

  6. On the Policy settings tab, enter You've been blocked! for the Block response body so that you can see that your custom rule is in effect.

  7. Select Next: Custom rules.

  8. Select Add custom rule.

  9. On the Add custom rule page, use the following test values to create a custom rule.

    Setting Value
    Custom rule name FdWafCustRule
    Status Enabled
    Rule type Match
    Priority 100
    Match type IP address
    Match variable SocketAddr
    Operation Does not contain
    IP address or range 10.10.10.0/24
    Then Deny traffic

    Custom rule

    Select Add.

  10. Select Next: Association.

  11. Select Associate a Front door profile.

  12. For Frontend profile, select your front-end profile.

  13. For Domain, select the domain.

  14. Select Add.

  15. Select Review + create.

  16. After your policy validation passes, select Create.

Test your WAF policy

  1. After your WAF policy deployment completes, browse to your Azure Front Door front-end host name.

  2. You should see your custom block message.

    WAF rule test

    Note

    A private IP address was intentionally used in the custom rule to guarantee the rule would trigger. In an actual deployment, create allow and deny rules by using IP addresses for your particular situation.

Next steps

Learn how to create an Azure Front Door profile.