Here we are in the portal. Let's start by implementing a Web Application Firewall policy for Azure Front Door. From create a resource, search for WAF. Go to Web Application Firewall. And create. This policy is for global WAF Front Door. Set the Front Door SKU to match the version that was implemented. Front Door for this example. Verify the subscription and create a new resource group. This example will use DemoFrontDoorRG. Give the policy a name. This example uses DemoFrontDoor. Set the location, Central US for this example. Leave the policy state as enabled and change the policy mode to prevention. This will enforce the policy.

Setting a new policy to prevention is fine for a demo but you may wanna leave it set to detection and monitor it first when deploying a new policy in production. Let's go to association next. We'll associate this policy to the Front Door instance when we deploy it. Select your Front Door instance and host. And click Add. Go to review + create. Create the policy once it's validated. This will take a minute to finish. I'll pause here and come back once it's done. That finished, let's go to the resource. Next, let's create a custom response code. This will replace the default 403 message users get when traffic is blocked. Go to policy settings in the policy. In the block response body, add the following HTML code. This will display a message that the user is blocked. The code azure-ref surrounded by double curly brackets will return a unique reference string in the response that matches the tracking references in the logs. Once that's entered, click save. We'll verify functionality shortly.

Before that, let's go to managed rules. Here we are in managed rules. We can select any of the rules and once selected, we get the option to enable or disable. Notice, this rule is set to the action block. If we go to change action, we can change it to allow, log or redirect. If we click redirect, it gives us a field for the redirect URL. Let's cancel. Next, go to assign. This is where we assign or change the default rule set. DefaultRuleSet_1.0 is selected. We can change that by selecting the dropdown. We have the option for the Microsoft_DefaultRuleSet and a preview rule set. Let's select the Microsoft rule set. By default, the new policy doesn't have bot protection enabled. To add it, select a bot protection option under additional rule sets. We'll select Microsoft_BotManagerRuleSet for this example. When selected, click Save. Now we have Microsoft_BotManagerRuleSet and Microsoft_DefaultRuleSet enabled.

Let's go to custom rules next. Before we create a custom rule, let's verify Front Door works from this computer by going to the Front Door URL. It shows the default website for our web app. That shows the website is running. Let's go back to the portal and from custom rules, we'll add a custom rule. Notice, this is a similar layout to the custom rules for an Application Gateway Web Application Firewall. To test our custom response, we'll create a rule that blocks traffic from the US. Give it a name, BlockUS, for this example, set the priority. 10 will work for this example. Set the match type to geolocation and leave the operation set to is. Select US from the country or region. Click add to add the rule. And click save to apply the rule. That applied. Let's see if that took effect.

Open up the Front Door URL. It may take a couple minutes for the change to replicate. Once replicated, you'll see the block message along with a reference ID. Good, the error message works. In production, that ID could be used to identify what rule is blocking the connection. Let's go back to custom rules. Let's modify this rule. There's no site hosted on this instance of Front Door yet. Maybe instead of a block message, we could send them to a more useful site. Let's change the rule name to RedirectUS. Leave the rest as is and go down to action. Instead of deny traffic, select redirect traffic. We'll use a much more helpful link for this example. Let's add the URL for cloudacademy.com. Update the rule and save the changes. That updated.

Let's try the Front Door URL again. Remember, it could take a couple minutes for the change to replicate. Now instead of an error message, US-based users are redirected to a different website. That is how to implement and associate a policy, create a custom response code and configure managed and custom rules in a Web Application Firewall policy for Azure Front Door.