Azure front door does not have WAF enabled

ID

front_door_waf

Severity

low

Vendor

Azure

Resource

Front Door

Tags

reachable

Description

Azure Front Door should be linked to a WAF.

Azure Front Door is Microsoft’s modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between your users and your applications’ static and dynamic web content across the globe. Azure Front Door delivers your content using the Microsoft’s global edge network with hundreds of global and local POPs distributed around the world close to both your enterprise and consumer end users.

WAF provides some protection against application-layer attacks, and this rule enforces that front doors enable a WAF with a proper mode.

This detector expects that the Front Door is linked to a WAF through the webApplicationFirewallPolicyLink property.

Learn more at Azure Web Application Firewall on Azure Front Door.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/frontDoors",
      "apiVersion": "2020-05-01",
      "name": "bad", (1)
      "location": "global",
      "properties": {
        "enabledState": "Enabled",
        "frontendEndpoints": [
          {
            "name": "[variables('frontEndEndpointName')]",
            "properties": {
              "hostName": "[format('{0}.azurefd.net', parameters('frontDoorName'))]",
              "sessionAffinityEnabledState": "Disabled"
            }
          }
        ]
      }
    }
  ]
}
1 Front Door is not linked to a WAF policy.

Terraform

resource "azurerm_frontdoor" "pass" {
  name = "example-FrontDoor"
  # ... more configuration

  frontend_endpoint { # FLAW (1)
    name      = "exampleFrontendEndpoint1"
    host_name = "example-FrontDoor.azurefd.net"
  }
}
1 Front Door is not linked to a WAF policy.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/frontDoors",
      "apiVersion": "2020-05-01",
      "name": "good", (1)
      "location": "global",
      "properties": {
        "enabledState": "Enabled",
        "frontendEndpoints": [
          {
            "name": "[variables('frontEndEndpointName')]",
            "properties": {
              "hostName": "[format('{0}.azurefd.net', parameters('frontDoorName'))]",
              "sessionAffinityEnabledState": "Disabled",
              "webApplicationFirewallPolicyLink": {
                "id": "waf"
              }
            }
          }
        ]
      }
    }
  ]
}
1 Front Door is linked to a WAF policy.

Terraform

resource "azurerm_frontdoor" "pass" {
  name = "example-FrontDoor"
  # ... more configuration

  frontend_endpoint {
    name      = "exampleFrontendEndpoint1"
    host_name = "example-FrontDoor.azurefd.net"
    web_application_firewall_policy_link_id =
      azurerm_frontdoor_firewall_policy.test.id # FIXED (1)
  }
}
1 Front Door is linked to a WAF policy.