CODEWITHSUNDEEP
azureazure-front-door
Steve L.
Steve L.

Reputation: 1138

Azure Front Door - How to add geo filtering policy?

I want to apply a geo filter to azure front door for countries that are outside of the US.

I've applied a waf policy (following the microsoft docs), but I'm not getting the desired result. All traffic appears to be denied. If I try a different country code, all traffic seems to be allowed.

Here's an example of a deny policy I'm trying to get working. If I apply this rule and test via locabrowser, the traffic is allowed.

I'm testing this theory by using locabrowser to simulate traffic from different locations. 

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "frontdoorwebapplicationfirewallpolicies_DenyChinaWafPolicy_name": {
        "defaultValue": "DenyChinaWafPolicy",
        "type": "String"
    }
},
"variables": {},
"resources": [
    {
        "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
        "apiVersion": "2018-08-01",
        "name": "[parameters('frontdoorwebapplicationfirewallpolicies_DenyChinaWafPolicy_name')]",
        "location": "Global",
        "properties": {
            "policySettings": {
                "enabledState": "Enabled",
                "mode": "Prevention"
            },
            "customRules": {
                "rules": [
                    {
                        "name": "geoFilterRule",
                        "priority": 1,
                        "ruleType": "MatchRule",
                        "rateLimitDurationInMinutes": 1,
                        "rateLimitThreshold": 0,
                        "matchConditions": [
                            {
                                "matchVariable": "RemoteAddr",
                                "operator": "GeoMatch",
                                "negateCondition": false,
                                "matchValue": [
                                    "CH"
                                ]
                            }
                        ],
                        "action": "Block"
                    }
                ]
            },
            "managedRules": {
                "ruleSets": []
            }
        }
    }
  ]
}

Upvotes: 0

Views: 1480

Answers (2)

msrini-MSIT
msrini-MSIT

Reputation: 1502

Geo-filtering in AFD is currently broken. It includes all the country instead of specific location. Fix is made and will be released soon. Will update here once the fix is updated.

Upvotes: 2

Nancy Xiong
Nancy Xiong

Reputation: 28244

This also does not work for me. Whatever I set the action to allow or block with matchVariable": "RemoteAddr" and "operator": "GeoMatch", It seems that this policy did not rely on the "matchValue", just works depending on the action. It seems that Geo filtering with WAF is still not available.

Please note that the Azure web application firewall (WAF) for Azure Front Door is currently in public preview. enter image description here

You could give your voices or vote these feedback1 and feedback2 about geo-filtering.

Upvotes: 1

Related Questions