Using Terraform to deploy and configure Azure Front Door with an Azure App Service

This project provides end to end terraform scripts for provisioning a WAF enabled Azure Front Door with backend pools set with an existing Azure App service, routing rules with caching config.

These scripts:

• Provision an Azure Front Door with Web Application Firewall (WAF) enabled
• Provision a sample application on Azure App Service(Azure Voting App - https://github.com/Azure-Samples/azure-voting-app-redis)
• Configures Front Door to route traffic to the App Service with caching configuration
• Places limits on inbound traffic to the App Service to be limited to Azure Infrastructure

Getting Started

Prerequisites

• Terraform
• Azure CLI

Installation

git clone https://github.com/Azure-Samples/frontdoor-appservice-vnet-terraform.git
cd frontdoor-appservice-vnet-terraform

Quickstart

There are different ways to authenticate with the Azure provider via Terraform. This example uses a Service Principal with a Client Secret to authenticate.

az login
az account set -s <subscription_id>
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<your-subscription-id>"

export ARM_SUBSCRIPTION_ID=<subscription-id>
export ARM_CLIENT_ID=<app-id>
export ARM_CLIENT_SECRET=<password>
export ARM_TENANT_ID=<tenant-id>

terraform init
terraform validate
terraform plan -var-file="terraform.tfvars"
terraform apply -var-file="terraform.tfvars"

Demo

Validate Frontdoor from the Azure Portal

• Resource group with specified name is created

• Provision Voting App from https://github.com/Azure-Samples/azure-voting-app-redis

  • Provision Voting App from docker-compose.yaml
  • Limit Access to the Voting App from frontdoor only

• Frontdoor Global WAF is created with following config

  • Prevention Policy Settings
  • Managed Rules as DefaultRuleSet_1.0 and Microsoft_BotManagerRuleSet_1.0

• Frontdoor is created with following config

  • Frontdoor endpoint is created
  • SESSION AFFINITY disabled
  • WAF enabled and associated with created WAF

• Backendpool is created

  • Backend host name Voting App
  • HealthProbe enabled with HTTPS protocol
  • Load balancing set with default config

• Frontdoor created with Forwarding Routing Rule

  • Status "enabled"
  • Accepted Protocol HTTPS
  • Pattern to match a /*
  • Route Type Forward
  • Backendpool is set
  • Forwarding Protocol HttpsOnly request
  • URL Rewrite disabled
  • Caching enabled and query string behavior is set to "Cache Every Unique URL"
  • Dynamic compression "enabled"
  • Use default cache duration "Yes"

• Frontdoor created with Https Redirect Routing Rule

  • Redirect type to "Found"
  • Redirect protocol "HttpsOnly"

GitHub Issues Created

• Feature Request: Support for Config Backend Host Type in backendpool to support "Public IP Address"
• Bug : Unable to get multiple routing rules working with the same backend pool
• Frontdoor cannot be created in VNET needs publicly resolvable IP Address
• Azure Front Door resource name has to be the same name as that of front end host
• Support for HttpHeader in the terraform schemaAppServiceIpRestriction Schema

Resources

• Frontdoor Terraform
• Azure Frontdoor
• Limit access to Backend from Azure Frontdoor
• Access Restriction HttpHeaders