Microsoft Cloud Reseller: Global Acceleration and WAF Protection for Web Apps with Azure Front Door
When your Web application is introduced to the global market, a series of troublesome practical problems follow one after another: users in Europe complain that web page loading is like a turtle crawling, users in America encounter sudden DDoS attacks that cause website paralysis, and teams in Asia stay up all night every day to fix security vulnerabilities in various application layers (Layer 7).
In the past, you might have had to toss around a complex set of architectures: buying a bunch of global CDNs, deploying expensive physical firewalls, and configuring complex cross-regional load balancing (GSLB).
But in the Azure ecosystem, there is a service called "the ultimate all-powerful king--
Azure Front Door (AFD)
. It put
Global Content Acceleration (CDN), Global Load Balancing, Network Security Protection (WAF), and Application Layer Routing
The perfect combination together. Today's in-depth tutorial will take you from scratch and put on a "global acceleration bulletproof vest" for your Web application ".
1. core concepts: What is Azure Front Door?
You can think of Azure Front Door as a super-intelligent lobby manager that Microsoft deploys for you at the global edge.
Microsoft has an extremely large dedicated optical fiber backbone network in the world, and has deployed any broadcast (Anycast) edge nodes in hundreds of cities around the world.
[Users around the world]--> his nearest Azure edge node (AFD)---(Microsoft fiber backbone)---> [your origin server]
│
(carried out here)
┌───────┴───────┐
▼ ▼
[WAF Security Protection] [Static Content Cache]]
When users visit your website:
Nearby access: Traffic is not slowly routed on the public network, but directly enters the Microsoft edge node closest to the user in seconds through Anycast technology.
Highway: After entering the edge node, the traffic will take Microsoft's internal "high-speed rail" (proprietary fiber backbone network) to your origin server (no matter where the source station is, it doesn't even need to be on Azure).
Security filtering: At the edge node, WAF(Web Application Firewall) will block hacker attacks 0.001 seconds before traffic touches your server.
2. Phase 1: Create an Azure Front Door instance
First, log in to the Azure portal (Azure Portal) and enter
“Front D
oor”
Click "Create".
Microsoft offers two versions:
Standard (Standard Edition)
and
Premium (Premium Edition)
.
💡Selection recommendations: The production environment strongly recommends the selection of Premium. This is because the advanced edition includes protection against malicious robots (bots), the industry's best WAF managed rule set (Microsoft Default Rule Set), and more powerful security analysis functions.
1. Basic configuration
Resource Group: Select or create a resource group, such as Global-Web-RG.
Endpoint name (Endpoint): This is the public domain name that AFD automatically assigns to you, such as my-global-app-xxxx.azurefd.net (you can bind your own independent domain name later).
2. Configure Origin
The origin site is the back-end server where you actually run the website.
Source type (Origin type): supports App Service, virtual machines, public IP within Azure, even Aliyun, Tengxun cloud or self-built computer room servers in non-Azure environments.
Host Name: Enter the real IP address or public domain name of your origin server.
HTTPS port: The default 443. We recommend that you use the HTTPS encryption channel throughout the process.
3. Configure routing rules (Routing Rules)
Forwarding protocol: We recommend that you select HTTPS only or set Redirect HTTP to HTTPS ".
Cache (Caching): On. In this way, static resources such as pictures, CSS, JS, etc. of your website will be directly cached at the edge nodes of the world. When users visit, they will "pick up goods" directly from the local, and the source station will have no pressure.
Click "View Creation" and wait 2-3 minutes for your global acceleration network to be initialized.
3. Phase 2: Deployment of WAF Bulletproof Vest (Anti-SQL Injection and XSS)
It's good that the website runs fast, but first you have to survive. Now let's put a WAF(Web Application Firewall) coat on Front Door.
In the Azure portal, search for and enter Web Application Firewall policies (WAF Policies) ".
Click "Create", "Policy applies to" You must select "Azure Front Door".
Associate Endpoint: Select the Front Door instance and the corresponding route that you just created.
1. Open the official all-inclusive hosting rules (Managed Rules)
Go to the WAF policy page
"Managed Rules"
Tab:
By default, Azure will automatically check the latest for you.
Microsof
t_DefaultRuleSet (DRS)
. This rule set is the essence of Microsoft's security experts based on the trillions of cyber attacks worldwide every day. It works out of the box to automatically block the following high-risk behaviors:
SQL Injection (SQLi): Attempts to steal your database permissions through forms.
Cross-site scripting (XSS): Inject malicious scripts into your web pages.
Remote code execution (RCE): exploit server vulnerabilities to directly execute backdoor commands.
2. Intercept malicious crawlers and robots (Bot Protection)
Click Add Managed Rule Set and select
Microsoft_BotManagerRuleSet
.
It can identify which are friendly search engine crawlers (such as Googlebot and Bingbot), which are malicious ticket grabbing software, spam group sending machines or malicious robots that brush traffic, and block them directly on the front line.
3. Custom Rules: Precise Sanctions
Sometimes the hosting rules are so generic that you want something personalized. Click
Custom Rule"
-> Add Custom Rules ".
🛠Actual combat scenario: completely hack the IP or malicious IP segment of a malicious country/region rule name: BlockMaliciousGeo operation: reject (Deny). Match Type: Geographic Location (Geo-location). Match Value: Check the countries or specific regions that frequently launch attacks against you. After saving, all malicious accesses in the area will receive a big 403 rejection error at Microsoft's edge node, and you can't even touch where your server door is going.
The third stage of 4.: actual combat test and effect verification
After the configuration is complete, wait about 5 minutes for global routing and policy synchronization to complete. Next, we tested it like a real human hacker and a real global user.
1. Verify the global acceleration effect
Open a global multi-node Ping/website speed test tool (such as ITDOG or Pingdom) and enter the domain name of your Front Door distribution.
You will be surprised to find that whether it is New York, London, Tokyo or Frankfurt, the delay around the world has become a very beautiful "green" (usually between a few milliseconds to tens of milliseconds).
Reason: The user directly handshakes the edge node directly from the Microsoft backbone network locally.
2. Pretending to be a hacker: trigger WAF interception
We launch a simulated SQL injection attack on your website in the browser.
After your Front Door domain name, just spell a malicious parameter with SQL injection characteristics:
[ht
tps://my-global-app-xxxx.azurefd.net/index.html?id=1] (ht
tps://my-
global-app-xxxx.azurefd.net/index.html?id=1)' AND '1'='1
The moment you press enter, you will definitely not see your web page, but will see a cold prompt:
HTTP Error 403. The request is blocked.
Looking at the Azure Monitor log, you will clearly see: a request from your current public network IP, because the trigger
SQLi
Rules, in the edge node was WAF clean shot head. Your origin server doesn't even know that someone has molested it.
5. Advanced: Configure Multi-Source Global Disaster Recovery (Active-Active)
If you are strong, deploy an identical set of Web servers in the United States (East US) and Hong Kong (East Asia). Front Door can directly help you achieve
Global Dual-Live Disaster Recovery
.
Go to your AFD's Origin groups ".
Add both servers in the United States, West and Hong Kong.
Health Probes: Send an HTTPS request every 30 seconds to check whether the origin is alive.
Effect: When European users visit, AFD automatically directs traffic to the closer US-West computer room; when Asian users visit, they automatically go to the Hong Kong computer room. Once the Hong Kong computer room hangs up due to power failure or sudden failure, AFD's health detection will be discovered within a few seconds and the full traffic will be seamlessly switched to the US-West computer room in an instant. In addition to the global users feel a little slower, the business will not be interrupted at all!
Pit Avoidance and Summary
When enjoying the extreme speed and safety of Azure Front Door, it's important to remember the following two key closing actions:
Origin Security Lock (IP Restriction): After deploying AFD, be sure to go to your origin server (or firewall) and set: only allow IP access from Azure Front Door service tag (Service Tag: AzureFrontDoor.Backend)! Otherwise, if hackers know the real IP of your source station and directly bypass Front Door to access your source station, your WAF will be useless.
WAF Debug First Mode (Detection Mode): When you first enable WAF managed rules, we recommend that you set the policy mode to "Detect (Detection)" and observe the logs for several days. After confirming that the normal user's request is not killed by mistake (false alarm), switch it to the "prevent (Prevention)" mode to completely intercept it.
Summary:
Azure Front Door is a modern global web
The absolute weapon of the architecture. It simplifies the intricacies of global network optimization and advanced network security into a few clear configuration cards in the cloud. With good use of it, your application can truly achieve "global speed, as stable as Mount Tai".
