How to restrict access from other countries by Geo filtering while setting a custom host with Azure Front Door and setting up SSL.

Introduction

I tried Geo Filtering for Azure Front Door so I can set it.
I will also introduce how to use a custom host.

I will skip about the function of Front Door.
Please refer to the following.

Azure Front Door Service

One thing, notes to be noted can not cooperate with VNET.
Therefore, services that do not have a public IP address can not be used for the back end.
This time it is Web App.

Create Front Door

Create and confirm Front Door

Detailed creation method

Azure Quickstart - Create a Front Door profile for high availability of applications using the…

Make sure you can access without problems.

Setting up a custom host

To set up a custom host Open Front Door designer and click “+” on Fronted hosts.

Next we will set up a custom host. However, I get an error to set CNAME.

It is necessary to set the target DNS in advance.

After DNS setup, set up the custom host again.

An error will occur if accessing with the target host name after setting.

Here, you need to change the setting of the rule.
Normally, the specified domain of Azure is assigned, otherwise it can not be accessed.
Open Front Door designer and change Routing rules.

Change to the assigned custom host.
It is also possible to select both. (We will enable it as we also set up SSL later.)

We will check with a custom host.

Set up SSL for custom host

Create the SSL key because it is managed by Key vault.

Register Service Principal in AD with Powershell. The following are fixed values.

New-AzureRmADServicePrincipal -ApplicationId "ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037"

Open access policy and add Principal.
Search “ad0e1c7e — 6d38–4ba4–9efd — 0bc77ba9f037”.
You can find Microsoft.Azure.Frontdoor. I will register this.

Set Secret permissions to Get.

Make sure that it was added.

Register the certificate. Although there is support only with no password in the document, there is no problem even if there is present.

Open Front Door designer and open the custom host you added.
Then change Custom Domain HTTPS to Enable.
Select Use my own certificate and select Key vault, Secret, Secret Name.

The setting is completed with the above, but it takes time to reflect about 20 minutes.

Confirm that it is displayed.

Geo filtering

I will proceed with reference to the following, but because it uses a custom host it differs partly.

Tutorial - Configure geo-filtering on a domain for Azure Front Door Service

The setting is set with Powershell.
First, add a module.

Install-Module -Name AzureRM
Install-Module PowerShellGet -Force -AllowClobber
Install-Module -Name AzureRM.FrontDoor

Next, set up in the following order so that only JP can be accessed.
Create GetMatchCondition → Create rule → Create FireWall policy → set for each host

$nonJPGeoMatchCondition = New-AzureRmFrontDoorMatchConditionObject -MatchVariable RemoteAddr -OperatorProperty GeoMatch -NegateCondition $true -MatchValue "JP"
$nonJPBlockRule = New-AzureRmFrontDoorCustomRuleObject -Name "geoFilterRule" -RuleType MatchRule -MatchCondition $nonJPGeoMatchCondition -Action Block -Priority 1
$geoPolicy = New-AzureRmFrontDoorFireWallPolicy -Name "geoPolicyAllowJPOnly" -resourceGroupName envdemo -Customrule $nonJPBlockRule  -Mode Prevention -EnabledState Enabled
$geoFrontDoorObjectExample = Get-AzureRmFrontDoor -ResourceGroupName envdemo

You can assign rules to existing hosts by setting FrontendEndpoints[0].

$geoFrontDoorObjectExample[0].FrontendEndpoints[0].WebApplicationFirewallPolicyLink = $geoPolicy.Id
Set-AzureRmFrontDoor -InputObject $geoFrontDoorObjectExample[0]


FriendlyName          : envdemo
RoutingRules          : {rule1}
BackendPools          : {backend}
HealthProbeSettings   : {healthProbeSettings-1546674295002}
LoadBalancingSettings : {loadBalancingSettings-1546674295003}
FrontendEndpoints     : {envdemo-azurefd-net, frontdoor-shinagawa-cloud}
EnabledState          : Enabled
ResourceState         : Enabled
ProvisioningState     : Succeeded
Cname                 :
Tags                  : {}
Id                    : /subscriptions/xxxxxxxx-0222-40a0-99c1-xxxxxxxxxxxx/resourcegroups/envdemo/providers/Microsoft.Network/frontdoors/envdemo
Name                  : envdemo
Type                  : Microsoft.Network/frontdoors

You can assign rules to custom hosts by setting FrontendEndpoints[1].

$geoFrontDoorObjectExample[0].FrontendEndpoints[1].WebApplicationFirewallPolicyLink = $geoPolicy.Id
Set-AzureRmFrontDoor -InputObject $geoFrontDoorObjectExample[0]


FriendlyName          : envdemo
RoutingRules          : {rule1}
BackendPools          : {backend}
HealthProbeSettings   : {healthProbeSettings-1546674295002}
LoadBalancingSettings : {loadBalancingSettings-1546674295003}
FrontendEndpoints     : {envdemo-azurefd-net, frontdoor-shinagawa-cloud}
EnabledState          : Enabled
ResourceState         : Enabled
ProvisioningState     : Succeeded
Cname                 :
Tags                  : {}
Id                    : /subscriptions/xxxxxxxx-0222-40a0-99c1-xxxxxxxxxxxx/resourcegroups/envdemo/providers/Microsoft.Network/frontdoors/envdemo
Name                  : envdemo
Type                  : Microsoft.Network/frontdoors

It takes about 5 minutes to be reflected after setting.
We will confirm from other than Japan using VPN etc.

This completes the setting.
Just when using Web App, you can also access from the original URL (URL assigned by Web App)
I think that it is necessary to add processing such as redirecting to Front Door’s domain.

Summary

I think that Geo filtering can be used in various scenes such as when you want to avoid GDPR, etc. and for campaign sites.
It’s still a preview, so it’s a service you care about how future features will increase.

Original Content (Japanese) : http://level69.net/archives/26245