azure azure-bicep azure-front-door azure-waf

Make WAF policy to only allow Azure Load Testing or Azure Services

I have Azure Front Door Standard, with Front Door WAF Policy. I have created one WAF custom rule to accept traffic only from Denmark. It works fine.

Now we need to make Azure Load Testing, which hits the endpoint domain to the Front Door, The Azure Load Testing is running from Sweden Central and can not access the endpoint because of the WAF custom rule. The test fails because it is not allowed, so the only way to fix this is by adding Sweden to the custom rule.

I have the same issue also when I make an availability test from 5 regions, I need to open for 5 Azure regions to allow access.

My Question: is there a way to allow Azure Load Testing service from Sweden and let Avibiliy Test from 5 regions bypass the firewall without allowing All Sweden public and the other 5 countries public access?

Here is the current working custom rule:

resource wafPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2024-02-01' = {
  name: frontDoorFWPolicyName
  tags: tags
  sku: {
    name: frontDoorSkuName
  }
  location: 'global'
  properties: {
    policySettings: {
      mode: 'Prevention'
      requestBodyCheck: 'Enabled'
      enabledState: 'Enabled'
    }
    customRules: {
      rules: [
        {
          name: 'GeoLocation'
          action: 'Block'
          matchConditions: [
            {
              matchValue: [
                'DK', 'SE'
              ]
              matchVariable: 'SocketAddr'
              operator: 'GeoMatch'
              negateCondition: true
            }
          ]
          priority: 100
          ruleType: 'MatchRule'
        }
      ]
    }
    managedRules: {
      managedRuleSets: []
    }
  }
}

Update

Concept of solution:

if from Azure Sweden allow access otherwise deny
if from Azure France, North Europe, West Europe, United Kingdom allow access otherwise deny
If Denmark allows access, all other countries deny it.

I do not prefer adding Azure IP addresses manually. If this is not feasible, come up with a creative solution.

Solution

As mentioned in the comments above it is not possible by default, so the way I solved it. Regarding the Load Testing, my only choice was to allow Sweden. Regarding availability tests from other regions, I added a RequestUri with a unique reference role before my country role. and here is a working example:

customRules: {
  rules: [
    {
      name: 'AllowSpecificCountriesWithSpecificValueInUrl'
      action: 'Allow'
      matchConditions: [
        {
          matchVariable: 'RequestUri'
          operator: 'Contains'
          matchValue: [
            alertRequestId
          ]
        }
        {
          matchVariable: 'RemoteAddr'
          operator: 'GeoMatch'
          matchValue: [
            'NL'
            'IE'
            'FR'
            'GB'
            'SE'
          ]
        }
      ]
      priority: 10
      ruleType: 'MatchRule'
    }
    {
      name: 'GeoLocation'
      action: 'Block'
      matchConditions: [
        {
          matchValue: [
            'DK'
            'SE'
          ]
          matchVariable: 'SocketAddr'
          operator: 'GeoMatch'
          negateCondition: true
        }
      ]
      priority: 100
      ruleType: 'MatchRule'
    }
  ]
}

If in future things change or I get a better answer, I will share.