🌱 PoC Azure FrontDoor

PoC to secure Azure Function behind a Azure FrontDoor, gaining load balancing, DSA and WAF capabilities.

🌱 Seedlings são ideias que recém tive e precisam de cultivo, não foram revisadas ou refinadas. Saiba mais.

TL/DR

• Gist containing artifacts: https://gist.github.com/myreli/fd37b6f29957c9b9180bed984ae5f1bd
• Total costs R$0.21 on Azure App Service (Due to the serverfarms, all other resources fall into always free services)

Concept

Expose azure apps and functions trough a secure FrontDoor instead of direct access (which is insecure) or API Gateway setup (which is a bit more complex, but combining both is a common approach).

Client → Azure FrontDoor → Azure Functions

Deployment

Create a resource group and deploy the template:

az group create --name poc-frontdoor --location "East US"

az deployment group create \
    --resource-group poc-frontdoor \
    --template-file poc.bicep \
    --parameters appName=poc

All parameters are optional:

• location defaults to resourceGroup location
• appName defaults to auto-generated string
• frontDoorEndpointName defaults to auto-generated string

All other resources are deployed using a auto-generated string or its own name, eg:

resource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups'
  name: 'frontDoorOriginGroupName'

resource hostingPlan 'Microsoft.Web/serverfarms'
  name: 'hpe${uniqueString(resourceGroup().id)}'

Testing

• Access the app without FrontDoor (the demo public function):

• Access the app with FrontDoor (the demo private function):

• Access the app trough FrontDoor:

Clean Up

Delete the entire resource group to prevent waste:

az group delete --name poc-frontdoor

Next

• [ ] Restrict access to FrontDoor (eg IP Restrictions)

Resources

• Azure Networking / FrontDoor
• Azure Resource Manager / Bicep
• Gist