I have Azure Front Door Standard, with Front Door WAF Policy. I have created one WAF custom rule to accept traffic only from Denmark. It works fine.
Now we need to make Azure Load Testing, which hits the endpoint domain to the Front Door, The Azure Load Testing is running from Sweden Central and can not access the endpoint because of the WAF custom rule. The test fails because it is not allowed, so the only way to fix this is by adding Sweden to the custom rule.
I have the same issue also when I make an availability test from 5 regions, I need to open for 5 Azure regions to allow access.
My Question: is there a way to allow Azure Load Testing service from Sweden and let Avibiliy Test from 5 regions bypass the firewall without allowing All Sweden public and the other 5 countries public access?
Here is the current working custom rule:
resource wafPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2024-02-01' = {
name: frontDoorFWPolicyName
tags: tags
sku: {
name: frontDoorSkuName
}
location: 'global'
properties: {
policySettings: {
mode: 'Prevention'
requestBodyCheck: 'Enabled'
enabledState: 'Enabled'
}
customRules: {
rules: [
{
name: 'GeoLocation'
action: 'Block'
matchConditions: [
{
matchValue: [
'DK', 'SE'
]
matchVariable: 'SocketAddr'
operator: 'GeoMatch'
negateCondition: true
}
]
priority: 100
ruleType: 'MatchRule'
}
]
}
managedRules: {
managedRuleSets: []
}
}
}
Update
Concept of solution:
I do not prefer adding Azure IP addresses manually. If this is not feasible, come up with a creative solution.
As mentioned in the comments above it is not possible by default, so the way I solved it. Regarding the Load Testing, my only choice was to allow Sweden. Regarding availability tests from other regions, I added a RequestUri
with a unique reference role before my country role. and here is a working example:
customRules: {
rules: [
{
name: 'AllowSpecificCountriesWithSpecificValueInUrl'
action: 'Allow'
matchConditions: [
{
matchVariable: 'RequestUri'
operator: 'Contains'
matchValue: [
alertRequestId
]
}
{
matchVariable: 'RemoteAddr'
operator: 'GeoMatch'
matchValue: [
'NL'
'IE'
'FR'
'GB'
'SE'
]
}
]
priority: 10
ruleType: 'MatchRule'
}
{
name: 'GeoLocation'
action: 'Block'
matchConditions: [
{
matchValue: [
'DK'
'SE'
]
matchVariable: 'SocketAddr'
operator: 'GeoMatch'
negateCondition: true
}
]
priority: 100
ruleType: 'MatchRule'
}
]
}
If in future things change or I get a better answer, I will share.