Using Terraform to deploy and configure Azure Front Door with an Azure App Service
This project provides end to end terraform scripts for provisioning a WAF enabled Azure Front Door with backend pools set with an existing Azure App service, routing rules with caching config.
These scripts:
- Provision an Azure Front Door with Web Application Firewall (WAF) enabled
- Provision a sample application on Azure App Service(Azure Voting App - https://github.com/Azure-Samples/azure-voting-app-redis)
- Configures Front Door to route traffic to the App Service with caching configuration
- Places limits on inbound traffic to the App Service to be limited to Azure Infrastructure
Getting Started
Prerequisites
Installation
git clone https://github.com/Azure-Samples/frontdoor-appservice-vnet-terraform.git
cd frontdoor-appservice-vnet-terraform
Quickstart
There are different ways to authenticate with the Azure provider via Terraform. This example uses a Service Principal with a Client Secret to authenticate.
az login
az account set -s <subscription_id>
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<your-subscription-id>"
export ARM_SUBSCRIPTION_ID=<subscription-id>
export ARM_CLIENT_ID=<app-id>
export ARM_CLIENT_SECRET=<password>
export ARM_TENANT_ID=<tenant-id>
terraform init
terraform validate
terraform plan -var-file="terraform.tfvars"
terraform apply -var-file="terraform.tfvars"
Demo
Validate Frontdoor from the Azure Portal
-
Resource group with specified name is created
-
Provision Voting App from https://github.com/Azure-Samples/azure-voting-app-redis
- Provision Voting App from docker-compose.yaml
- Limit Access to the Voting App from frontdoor only
-
Frontdoor Global WAF is created with following config
- Prevention Policy Settings
- Managed Rules as DefaultRuleSet_1.0 and Microsoft_BotManagerRuleSet_1.0
-
Frontdoor is created with following config
- Frontdoor endpoint is created
- SESSION AFFINITY disabled
- WAF enabled and associated with created WAF
-
Backendpool is created
- Backend host name Voting App
- HealthProbe enabled with HTTPS protocol
- Load balancing set with default config
-
Frontdoor created with Forwarding Routing Rule
- Status "enabled"
- Accepted Protocol HTTPS
- Pattern to match a /*
- Route Type Forward
- Backendpool is set
- Forwarding Protocol HttpsOnly request
- URL Rewrite disabled
- Caching enabled and query string behavior is set to "Cache Every Unique URL"
- Dynamic compression "enabled"
- Use default cache duration "Yes"
-
Frontdoor created with Https Redirect Routing Rule
- Redirect type to "Found"
- Redirect protocol "HttpsOnly"
GitHub Issues Created
- Feature Request: Support for Config Backend Host Type in backendpool to support "Public IP Address"
- Bug : Unable to get multiple routing rules working with the same backend pool
- Frontdoor cannot be created in VNET needs publicly resolvable IP Address
- Azure Front Door resource name has to be the same name as that of front end host
- Support for HttpHeader in the terraform schemaAppServiceIpRestriction Schema