Azure WAF on Frontdoor

Hello @Amien Mahri ,

Azure Web Application Firewall (WAF) on Azure Front Door provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Basically, WAF enabled web applications inspect every incoming request delivered by Front Door at the network edge and acts as per the configured mode:
Detection mode: When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs.
Prevention mode: In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with lower priority are evaluated. Any matched requests are also logged in the WAF logs.
Refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/afds-overview

So it is all about the incoming requests to your app and is not related to the port it is listening on.

May I know what is it that you are looking for exactly?

Thanks,
Gita

In most, if not all, cases, WAF does NOT work across every single port i.e 0-65535. So question is if i have a bespoke app listening on a non-standard port, will the WAF protection kick in or will it just pass it through. Stupid example is what if i am using SSH, will Frontdoor do a WAF inspection.
Also, see link below talking about the fact that only port 80 and 443 is supported.

https://feedback.azure.com/forums/217313-networking/suggestions/40966483-azure-frontdoor-support-for-custom-ports

Hello @Amien Mahri ,

WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
WAF will not provide inbound protection for non-HTTP/S protocols such as SSH.

In case you need such protection, I would recommend you to check Azure Firewall. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Thanks,
Gita

Thanks Gita,
So in summary, ALL HTTP/S traffic, irrespective of the port number, will be protected by Frontdoor WAF with exactly the same capability as if they were using ports 80 and 443.
Is this a guarantee?

Hello @Amien Mahri ,

I would like to know how exactly would be accessing your application?

As long as the application is being accessed on HTTP (port 80) or HTTPS (port 443), WAF will protect these requests. If the request comes on any other port or protocol, it will be dropped by WAF at the edge. Only port 80 and 443 traffic can be passed from the FrontDoor to the backend. The backend can be any publicly accessible web application.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,
Gita