1

我正在尝试使用 Web 应用程序防火墙连接来实现 Azure Front Door Premium。我可以手动和通过二头肌创建前门。但是,当我尝试通过 Bicep 连接到 WAF 时,我不确定它是否完全有效。

我的 WAF 的二头肌资源如下所示:

resource profiles_gbt_nprod_sandbox_FrontDoorTest_name_AzureFDTest_ac196269 'Microsoft.Cdn/profiles/securitypolicies@2020-09-01' = {
  parent: profiles_gbt_nprod_sandbox_FrontDoorTest_name_resource
  name: 'AzureFDTest-ac196269'
  properties: {
    parameters: {
      wafPolicy: {
        id: frontdoorwebapplicationfirewallpolicies_AzureFDTest_externalid
      }
      associations: [
        {
          domains: [
            {
              id: profiles_gbt_nprod_sandbox_FrontDoorTest_name_TestFDEndpoint.id
            }
          ]
          patternsToMatch: [
            '/*'
          ]
        }
      ]
      type: 'WebApplicationFirewall'
    }
  }
}

获取:AzureFDTest-ac196269我通过 Bicep 创建了 Front Door,然后手动连接了 AzureFDTest 策略并生成了这个名称。

当它运行时,它看起来像是连接到 Endpoint Manager 中的 Front Door: 在此处输入图像描述

但是当我单击 AzureFDTest WAF 策略时,它看起来像: 在此处输入图像描述

并且AzureFDTest没有列出。如果我要手动连接 WAF,这个下拉菜单会显示AzureFDTest. 这仍然按预期工作还是我编写资源的方式有问题?

4

1 回答 1

1

您可以通过安全策略将 Azure Front Door Premium 连接到 Bicep 中的 WAF,如下所示:

var frontdoorName = 'frontDoor'
var frontDoorSkuName = 'Premium_AzureFrontDoor'
var endpointName = 'endpoint'
var wafPolicyName = 'wafPolicy'
var securityPolicyName = 'securityPolicy'
param tags object

// Front Door CDN profile
resource profile 'Microsoft.Cdn/profiles@2020-09-01' = {
  name: frontdoorName
  location: 'global'
  sku: {
    name: frontDoorSkuName
  }
  tags: tags
}

// Azure Front Door endpoint
resource endpoint 'Microsoft.Cdn/profiles/afdEndpoints@2020-09-01' = {
  parent: profile
  name: endpointName
  location: 'Global'
  tags: tags
  properties: {
    originResponseTimeoutSeconds: 60
    enabledState: 'Enabled'
  }
}

// WAF policy using Azure managed rule sets
resource wafPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2020-11-01' = {
  name: wafPolicyName
  location: 'global'
  tags: tags
  sku: {
    name: frontDoorSkuName
  }
  properties: {
    policySettings: {
      enabledState: 'Enabled'
      mode: 'Prevention'
    }
    managedRules: {
      managedRuleSets: [
        {
          ruleSetType: 'Microsoft_DefaultRuleSet'
          ruleSetVersion: '1.1'
        }
        {
          ruleSetType: 'Microsoft_BotManagerRuleSet'
          ruleSetVersion: '1.0'
        }
      ]
    }
  }
}

// Security policy for Front Door which defines the WAF policy linking
resource securityPolicy 'Microsoft.Cdn/profiles/securityPolicies@2020-09-01' = {
  parent: profile
  name: securityPolicyName
  properties: {
    parameters: {
      type: 'WebApplicationFirewall'
      wafPolicy: {
        id: wafPolicy.id
      }
      associations: [
        {
          domains: [
            {
              id: endpoint.id
            }
          ]
          patternsToMatch: [
            '/*'
          ]
        }
      ]
    }
  }
}

对于这种情况,还有一个 azure-quickstart-template 可用:

Front Door Premium 与 Web 应用程序防火墙和 Microsoft 管理的规则集

于 2022-02-13T00:11:31.607 回答