Tutorial: Quickly scale and protect a web application using Azure Front Door and Azure Web Application Firewall (WAF)

Important

Azure Front Door (classic) will be retired on March 31, 2027. To avoid any service disruption, it is important that you migrate your Azure Front Door (classic) profiles to Azure Front Door Standard or Premium tier by March 2027. For more information, see Azure Front Door (classic) retirement.

Web applications often experience traffic surges and malicious attacks, such as denial-of-service attacks. Azure Front Door with Azure WAF can help scale your application and protect it from such threats. This tutorial guides you through configuring Azure Front Door with Azure WAF for any web app, whether it runs inside or outside of Azure.

We use the Azure CLI for this tutorial. You can also use the Azure portal, Azure PowerShell, Azure Resource Manager, or Azure REST APIs.

In this tutorial, you learn to:

• Create a Front Door.
• Create an Azure WAF policy.
• Configure rule sets for a WAF policy.
• Associate a WAF policy with Front Door.
• Configure a custom domain.

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

• This tutorial uses the Azure CLI. Get started with the Azure CLI.

  Tip

  An easy way to get started with the Azure CLI is using Bash in Azure Cloud Shell.

• Ensure the front-door extension is added to the Azure CLI:

  az extension add --name front-door
  

Note

For more information about the commands used in this tutorial, see the Azure CLI reference for Front Door.

Create an Azure Front Door resource

az network front-door create --backend-address <backend-address> --accepted-protocols <protocols> --name <name> --resource-group <resource-group>

• --backend-address: The fully qualified domain name (FQDN) of the application you want to protect, for example, myapplication.contoso.com.
• --accepted-protocols: Protocols supported by Azure Front Door, for example, --accepted-protocols Http Https.
• --name: The name of your Azure Front Door resource.
• --resource-group: The resource group for this Azure Front Door resource. Learn more about managing resource groups.

Note the hostName value from the response, as you need it later. The hostName is the DNS name of the Azure Front Door resource.

Create an Azure WAF profile for Azure Front Door

az network front-door waf-policy create --name <name> --resource-group <resource-group> --disabled false --mode Prevention

• --name: The name of the new Azure WAF policy.
• --resource-group: The resource group for this WAF resource.

The previous command creates a WAF policy in prevention mode.

Note

Consider creating the WAF policy in detection mode first to observe and log malicious requests without blocking them before switching to prevention mode.

Note the ID value from the response, as you need it later. The ID should be in this format:

/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/<WAF-policy-name>

Add managed rule sets to the WAF policy

Add the default rule set:

az network front-door waf-policy managed-rules add --policy-name <policy-name> --resource-group <resource-group> --type DefaultRuleSet --version 1.0

Add the bot protection rule set:

az network front-door waf-policy managed-rules add --policy-name <policy-name> --resource-group <resource-group> --type Microsoft_BotManagerRuleSet --version 1.0

• --policy-name: The name of your Azure WAF resource.
• --resource-group: The resource group for the WAF resource.

Associate the WAF policy with the Azure Front Door resource

az network front-door update --name <name> --resource-group <resource-group> --set frontendEndpoints[0].webApplicationFirewallPolicyLink='{"id":"<ID>"}'

• --name: The name of your Azure Front Door resource.
• --resource-group: The resource group for the Azure Front Door resource.
• --set: Update the WebApplicationFirewallPolicyLink attribute for the frontendEndpoint with the new WAF policy ID.

Note

If you're not using a custom domain, you can skip the next section. Provide your customers with the hostName obtained when you created the Azure Front Door resource.

Configure the custom domain for your web application

Update your DNS records to point the custom domain to the Azure Front Door hostName. Refer to your DNS service provider's documentation for specific steps. If you use Azure DNS, see update a DNS record.

For zone apex domains (for example, contoso.com), use Azure DNS and its alias record type.

Update your Azure Front Door configuration to add the custom domain.

To enable HTTPS for your custom domain, set up certificates in Azure Front Door.

Lock down your web application

Ensure only Azure Front Door edges can communicate with your web application. See How to lock down access to my backend to only Azure Front Door.

Clean up resources

When no longer needed, delete the resource group, Front Door, and WAF policy:

az group delete --name <resource-group>

• --name: The name of the resource group for all resources used in this tutorial.

Next steps

To troubleshoot your Front Door, see:

Troubleshooting common routing issues