Governance Policies Azure Web Front Door - Azure/az-prototype GitHub Wiki
Governance policies for Front Door
Domain: azure-web
| Name | Description |
|---|---|
| Front Door Premium with WAF and private link | Global load balancer with WAF protection, private link origins, and HTTPS enforcement |
| Description | Instead |
|---|---|
| Do not deploy Front Door without WAF policy | Always associate a WAF policy with all Front Door endpoints |
| Do not use HTTP for origin connections | Set originHostHeader and enforce HTTPS with TLS 1.2 minimum for all origins |
| Check | Severity | Description |
|---|---|---|
| AZ-AFD-001 | Required | Deploy Azure Front Door Premium with managed identity, WAF policy, and end-to-end TLS |
| AZ-AFD-002 | Required | Enforce HTTPS-only with TLS 1.2 minimum and redirect HTTP to HTTPS |
| AZ-AFD-003 | Required | Use private link origins for backend connectivity (Premium SKU) |
| AZ-AFD-004 | Recommended | Configure caching rules with appropriate TTLs per content type |
Deploy Azure Front Door Premium with managed identity, WAF policy, and end-to-end TLS
Severity: Required
Rationale: Front Door is the global entry point; WAF protects against OWASP threats and DDoS; Premium enables private link origins
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Cdn/profiles/afdEndpoints | afd-endpoint | Front Door endpoint for routing traffic |
| Microsoft.Cdn/profiles/securityPolicies | security-policy | WAF security policy association for the Front Door endpoint |
| Microsoft.Cdn/profiles/originGroups | origin-group | Origin group with health probes and load balancing configuration |
| Microsoft.Cdn/profiles/originGroups/origins | origin | Private link-enabled origin for secure backend connectivity (Premium SKU) |
| Microsoft.Insights/diagnosticSettings | diag-afd | Diagnostic settings for access logs, WAF logs, and health probe logs |
Enforce HTTPS-only with TLS 1.2 minimum and redirect HTTP to HTTPS
Severity: Required
Rationale: HTTP traffic is unencrypted and subject to interception
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Use private link origins for backend connectivity (Premium SKU)
Severity: Required
Rationale: Private link origins eliminate public exposure of backend services
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles
Configure caching rules with appropriate TTLs per content type
Severity: Recommended
Rationale: Proper caching reduces origin load, improves latency, and lowers costs
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Cdn/profiles