Skip to content

Instantly share code, notes, and snippets.

@myreli

myreli/README.md Secret

Last active December 20, 2022 13:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save myreli/fd37b6f29957c9b9180bed984ae5f1bd to your computer and use it in GitHub Desktop.
Save myreli/fd37b6f29957c9b9180bed984ae5f1bd to your computer and use it in GitHub Desktop.
Download ZIP
PoC Azure FrontDoor
Raw
README.md

Azure FrontDoor (+ Functions App)

PoC to connect to a Azure App securely trough FrontDoor.

  1. Create a new resource group
  2. Deploy the template poc.bicep
  3. Access the demo exposed function efn${id} (200)
  4. Access the demo private function fn${id} (403)
  5. Access the demo private function trough FrontDoor afd${id} (200)

Notes: https://garden.myreli.dev/41289/poc-azure-frontdoor

Raw
poc.bicep
param location string = resourceGroup().location
param appName string = 'fnapp${uniqueString(resourceGroup().id)}'
param frontDoorEndpointName string = 'afd${uniqueString(resourceGroup().id)}'
// Azure Function App
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
name: 'storageacc${uniqueString(resourceGroup().id)}'
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'Storage'
}
resource hostingPlan 'Microsoft.Web/serverfarms@2022-03-01' = {
name: 'hpe${uniqueString(resourceGroup().id)}'
location: location
}
resource exposedFunctionApp 'Microsoft.Web/sites@2022-03-01' = {
name: 'e${appName}'
location: location
kind: 'functionapp'
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: hostingPlan.id
siteConfig: {
appSettings: [
{
name: 'AzureWebJobsStorage'
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
}
{
name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
}
{
name: 'WEBSITE_CONTENTSHARE'
value: toLower(appName)
}
{
name: 'FUNCTIONS_EXTENSION_VERSION'
value: '~2'
}
{
name: 'WEBSITE_NODE_DEFAULT_VERSION'
value: '~10'
}
{
name: 'FUNCTIONS_WORKER_RUNTIME'
value: 'node'
}
]
}
httpsOnly: true
}
}
// Azure Function App > Protected Function App
resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
name: appName
location: location
kind: 'functionapp'
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: hostingPlan.id
siteConfig: {
appSettings: [
{
name: 'AzureWebJobsStorage'
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
}
{
name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
}
{
name: 'WEBSITE_CONTENTSHARE'
value: toLower(appName)
}
{
name: 'FUNCTIONS_EXTENSION_VERSION'
value: '~2'
}
{
name: 'WEBSITE_NODE_DEFAULT_VERSION'
value: '~10'
}
{
name: 'FUNCTIONS_WORKER_RUNTIME'
value: 'node'
}
]
ftpsState: 'Disabled'
minTlsVersion: '1.2'
ipSecurityRestrictions: [
{
tag: 'ServiceTag'
ipAddress: 'AzureFrontDoor.Backend'
action: 'Allow'
priority: 100
headers: {
'x-azure-fdid': [
frontDoorProfile.properties.frontDoorId
]
}
name: 'Allow trafic from FrontDoor'
}
]
}
httpsOnly: true
}
}
// Azure FrontDoor
resource frontDoorProfile 'Microsoft.Cdn/profiles@2021-06-01' = {
name: 'frontDoorProfile'
location: 'global'
sku: {
name: 'Standard_AzureFrontDoor'
}
}
resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
name: 'hp${uniqueString(resourceGroup().id)}'
location: location
sku: {
name: 'S1'
capacity: 1
}
kind: 'app'
}
resource frontDoorEndpoint 'Microsoft.Cdn/profiles/afdEndpoints@2021-06-01' = {
name: frontDoorEndpointName
parent: frontDoorProfile
location: 'global'
properties: {
enabledState: 'Enabled'
}
}
resource frontDoorOriginGroup 'Microsoft.Cdn/profiles/originGroups@2021-06-01' = {
name: 'frontDoorOriginGroupName'
parent: frontDoorProfile
properties: {
loadBalancingSettings: {
sampleSize: 4
successfulSamplesRequired: 3
}
healthProbeSettings: {
probePath: '/'
probeRequestType: 'HEAD'
probeProtocol: 'Http'
probeIntervalInSeconds: 100
}
}
}
resource frontDoorOrigin 'Microsoft.Cdn/profiles/originGroups/origins@2021-06-01' = {
name: 'frontDoorOriginName'
parent: frontDoorOriginGroup
properties: {
hostName: functionApp.properties.defaultHostName
httpPort: 80
httpsPort: 443
originHostHeader: functionApp.properties.defaultHostName
priority: 1
weight: 1000
}
}
resource frontDoorRoute 'Microsoft.Cdn/profiles/afdEndpoints/routes@2021-06-01' = {
name: 'frontDoorRouteName'
parent: frontDoorEndpoint
dependsOn: [
frontDoorOrigin
]
properties: {
originGroup: {
id: frontDoorOriginGroup.id
}
supportedProtocols: [
'Http'
'Https'
]
patternsToMatch: [
'/*'
]
forwardingProtocol: 'HttpsOnly'
linkToDefaultDomain: 'Enabled'
httpsRedirect: 'Enabled'
}
}
output appServiceHostName string = functionApp.properties.defaultHostName
output frontDoorEndpointHostName string = frontDoorEndpoint.properties.hostName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment