I created a Standard tier Front Door with the necessary Azure WAF with default configurations. If I do this:
Test-NetConnection -ComputerName "<frontdoorurl>-dev-xxxxxx.z01.azurefd.net" -Port 80
ComputerName : <frontdoorurl>-dev-xxxxxx.z01.azurefd.net
RemoteAddress : xxxx:xxx:xx:x::xx
RemotePort : 80
InterfaceAlias : Ethernet 7
SourceAddress : xxxx:xxxx:xx:xxx:xxxx:xxxx:xxx:xxxx
TcpTestSucceeded : True
I am unable to block this permanently – I tried having a rule set on the Server port equal to 80 conditions but there is no suitable action for this that blocks the port 80 access throughout.
How to block this permanently so that the result of Test-NetConnection is False? or is there no way to block the access to port 80 from outside?
P.S. I have tried asking ChatGPT – it tells me to use Network Security Group and block port 80. But in the latest Azure Portal setting for Front Door – no such provision is made.
2
Answers
Azure Front Door will allow https requests by default, but you can restrict the http request for each end point using Routing Rules.
NOTE: With the front door URL, Test-NetConnection will not return a false result because FD will try to fetch the service responses frequently and, if they are not reachable, will send a message such as "Services are down."
Here is the way to restrict port 80 from Front Door.
Step1:
Create front door application with 2 backend pools and Configure routing rule as follows.
Step2:
update route rule with https & https request allows both allow
Verificaiton:
when browse the URL it will allow both http and https calls
Step3:
Now, in order to restrict the http [80] port in the backend, update the routing rule to https only.
Step4:
Save the Front Door settings
Step5:
now https [443] port only allow to access the application and 80 port it won’t allow via front door URL.
Note:
We need to restrict port 80 from both the application endpoint side and the server side. Otherwise, when we ping from Test-NetConnection, it will return a true value. Because Front Door will give the response that the site is not reachable
Backend Pool like this
becuase of this configure
Azure Front Door consists of a a distributed network of POPs (Points-of-Presence) and these are listening for both port 80 and 443 on an Anycast IP, meaning you’ll just get routed to whatever POP is closest to you. Your AFD endpoint will resolve to one of these Anycast IP’s. You cannot block port 80 because these POPs handle more than just your site. There are numerous other customers that have sites hosted on these POPs and some are accepting HTTP, so port 80 is open. It’s also needed for HTTP to HTTPS redirection. With respect to a TCP connection, the domain name is irrelevant as we aren’t at the HTTP layer yet.
You can always redirect traffic from HTTP to HTTPS but these POPs are not in your control, unlike something like Application Gateway. With App Gateway, you can listen for whatever ports you want because it’s not shared with other customers.