How To – Enable Web Application Firewall Geomatch Custom Rules

At the end of July, Microsoft announced the general availability of geomatching via Custom Rules in Web Application Firewall. This is a feature I am quite fond of, and is excellent at reducing your attack surface. Thankfully, it’s also quite simple to implement!

First, what is Web Application Firewall (WAF)? Well it’s a service that provides protection for your web apps from common exploits and vulnerabilities. It can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDNN is preview for now). WAF allows for central management, meaning you can react to threats faster, instead of securing each individual web application. There are a couple of specific differences depending on the service you attach a WAF policy to, and you can read about them here.

WAF overview
Nice graphical explainer of WAF from Microsoft

Next, what are Custom Rules? As part of each WAF policy, you have to configure a set of standard rules, such as Prevention or Detection mode, and managed rules (OWASP). However, you can also create your own rules, and in WAF these are simply called Custom Rules (CR). A CR is made up of one or more conditions followed by an action. All CRs for a WAF policy are match rules. You can have multiple CRs per policy and they are processed in order of priority in a range of 1-100, with 1 being highest priority, or processed earliest.

Now that we have the foundation, let’s look at the geomatch option. This is available within your CR as a match Condition.

Create your CR with an appropriate name and priority, then choose ‘Geo location’ from the Match type drop down as above. Next, you’ll want to ensure you choose RemoteAddr as the match variable, and decide what logic you want to apply. By logic I mean the pattern that will fire the rule. In this example, I want all traffic except Ireland blocked. So I will choose the Operation ‘Is not’, then location Ireland, then Deny. If I wanted all traffic allowed and Ireland blocked, I would simply choose the Operation ‘Is’. I recommend figuring out your pattern then working your way through the final section of the CR.

So, based on my example with Ireland, my CR now looks like this:

Now most commonly, I would see a geomatch policy applied to an Application Gateway, but it can be applied to Front Door also. On of the nice features of a WAF policy when using it with Application Gateway is that you get association choices. This means you can be as granular as having different policies per listener, or even per path rule. Giving you huge flexibility when combined with CRs.

Finally, I have obviously shown you how to create this CR in the portal, but there are other methods, like Powershell. These can be very handy if you need to recreate a geomatch CR, especially if you have multiple conditions with many countries (there is a max of 10 per condition). Note, if using these methods, you need to use country codes, like IE, and these are all listed here.

And that’s it! You have your CR created and associated. WAFs take effect pretty quickly so you should be able to test within a couple of minutes. If you want to perform a simple verify, you can switch the action from Deny traffic to Allow and retest.

Finally, a nice tip when you’re happy with your configuration is to setup an alert against your WAF should there be a change made, or worse, deleted (apply resource locks people). This runs as a signal alert from Azure Monitor against an action group as per standard

That’s it for this post, as always, if you have any questions, please get in touch!

AZ-700: Designing and Implementing Microsoft Azure Networking Solutions – Study Guide

Updated: October 2021

Microsoft continues to expand it’s Azure exams and next on the list is AZ-700. This exam has just moved to GA in October 2021. Here is what Microsoft have to say about it:

Candidates for this exam should have subject matter expertise in planning, implementing, and maintaining Azure networking solutions, including hybrid networking, connectivity, routing, security, and private access to Azure services.

Candidates for this exam should also have expert Azure administration skills, in addition to extensive experience and knowledge of networking, hybrid connections, and network security.

If you pass the exam, it will count towards a new associate certification – Microsoft Certified: Azure Network Engineer Associate.

As always, a great place to start is Microsoft Learn. While there are no specific learning paths aligned to this exam as yet, there are many that cover Azure networking like this one or have a look at many others that include networking here. As always, these are free and you can work through them at your own pace. I find this a great way to study and gain greater understanding of the services by actually using them and you will need to be very familiar with Azure networking to pass this exam.

Below I’ve put together a collection of links relevant to the sections Microsoft have highlighted as being part of the skills measured for this exam. These are only guide links, sometimes you need to explore a topic much more deeply if you are not familiar with it. Hopefully these study materials will help guide you to successfully passing AZ-700!

Design, Implement, and Manage Hybrid Networking (10–15%)

Design, implement, and manage a site-to-site VPN connection

Design, implement, and manage a point-to-site VPN connection

Design, implement, and manage Azure ExpressRoute

Design and Implement Core Networking Infrastructure (20–25%)

Design and implement private IP addressing for VNets

Design and implement name resolution

Design and implement cross-VNet connectivity

Design and implement an Azure Virtual WAN architecture

Design and Implement Routing (25–30%)

Design, implement, and manage VNet routing

Design and implement an Azure Load Balancer

Design and implement Azure Application Gateway

Implement Azure Front Door

Implement an Azure Traffic Manager profile

Design and implement an Azure Virtual Network NAT

Secure and Monitor Networks (15–20%)

Design, implement, and manage an Azure Firewall deployment

Implement and manage network security groups (NSGs)

Implement a Web Application Firewall (WAF) deployment

Monitor networks

Design and Implement Private Access to Azure Services (10–15%)

Design and implement Azure Private Link service and Azure Private Endpoint

Design and implement service endpoints

Configure VNet integration for dedicated platform as a service (PaaS) services

Azure Spring Clean 2021

Back for another year, Azure Spring Clean returns this week to help with all of your Azure Management options. The event will run from today Monday 23rd through until Friday 26th.

Each day, there will be articles from the following blend of topics:

  • Azure Monitor
  • Azure Cost Management
  • Azure Policy
  • Azure Security Principles
  • Azure Foundations

All articles are community driven and are a mix of experience and technical detail. You may recognise some faces from last year, which is great to see as organisers. Conversely there are new contributors too which is equally great and inspiring to continue the event annually.

You can follow along with the event on Twitter, using #AzureSpringClean

For all of the latest relative to the event, head to the site – Azure Spring Clean

.

AZ-140: Configuring and Operating Microsoft Azure Virtual Desktop – Study Guide

Microsoft continues to expand it’s specialty exams and next on the list is AZ-140. This exam is brand new and should be available in March 2021. Here is what Microsoft have to say about it:

Candidates for this exam are administrators with subject matter expertise in planning, delivering, and managing virtual desktop experiences and remote apps, for any device, on Azure.

Responsibilities for this role include deploying virtual desktop experiences and apps to Azure. Professionals in this role deliver applications on Azure Virtual Desktop and optimize them to run in multi-session virtual environments. To deliver these experiences, they work closely with the Azure administrators and architects, along with Microsoft 365 Administrators.

Candidates for this exam should have experience in Azure technologies, including virtualization, networking, identity, storage, backups, resilience, and disaster recovery. They should understand on-premises virtual desktop infrastructure technologies as they relate to migrating to Azure Virtual Desktop. These professionals use the Azure portal and Azure Resource Manager templates to accomplish many tasks. This role may use PowerShell and Azure Command-Line Interface (CLI) for more efficient automation.

Candidates for this exam must have expert Azure administration skills.

If you pass the exam, it will count towards a new specialty certification – Microsoft Certified: Azure Virtual Desktop Specialty

As always, a great place to start is Microsoft Learn. There are several interactive learning modules specifically for AVD that are free that you can work through at your own pace. I find this a great way to study and gain greater understanding of the services by actually using them and you will need to be very familiar with Azure to pass this exam.

Below I’ve put together a collection of links relevant to the sections Microsoft have highlighted as being part of the skills measured for this exam. These are only guide links, sometimes you need to explore a topic much more deeply if you are not familiar with it. Hopefully these study materials will help guide you to successfully passing AZ-140!

Plan an Azure Virtual Desktop Architecture (10-15%)

Design the Azure Virtual Desktop architecture

Design for user identities and profiles

Implement an Azure Virtual Desktop Infrastructure (25-30%)

Implement and manage networking for Azure Virtual Desktop

Implement and manage storage for Azure Virtual Desktop

Create and configure host pools and session hosts

Create and manage session host images

Manage Access and Security (10-15%)

Manage access

Manage security

Manage User Environments and Apps (20-25%)

Implement and manage FSLogix

Configure user experience settings

Install and configure apps on a session host

Monitor and Maintain an Azure Virtual Desktop Infrastructure (20-25%)

Plan and implement business continuity and disaster recovery

Automate Azure Virtual Desktop management tasks

Monitor and manage performance and health

AZ-500 Microsoft Azure Security Technologies – Study Guide

Updated February 2021

Azure has a sole security focused exam, AZ-500 Microsoft Azure Security Technologies. Passing this single exam will allow you to earn a Microsoft Certified: Azure Security Engineer Associate certification.

So, if you’re interested and wondering if you should take this exam? Here is what Microsoft have to say:

Candidates for this exam are Microsoft Azure security engineers who implement security controls, maintain the security posture, manages identity and access, and protects data, applications, and networks. Candidates identify and remediate vulnerabilities by using a variety of security tools, implements threat protection, and responds to security incident escalations. As a Microsoft Azure security engineer, candidates often serve as part of a larger team dedicated to cloud-based management and security and may also secure hybrid environments as part of an end-to-end infrastructure.

Candidates for this exam should have strong skills in scripting and automation, a deep understanding of networking, virtualization, and cloud N-tier architecture, and a strong familiarity with cloud capabilities, Microsoft Azure products and services, and other Microsoft products and services.

Below, I’ve put together a collection of links relevant to the sections highlighted as being part of the skills measured for this exam. As always, these are only guide links, sometimes you need to explore a topic much more deeply if you are not familiar with it.

If you spot something, or have a better link for a topic, get in touch! I will update this post as regularly as possible and always appreciate any feedback.

A good place to start is the Azure Security Documentation page. This site includes most of the key concepts and services covered in this exam, as well as several best practice approaches you should consider.

Manage Identity and Access (30-35%)

Manage Azure Active Directory identities
Configure secure access by using Azure AD
Manage application access
Manage access control

Implement Platform Protection (15-20%)

Implement advanced network security
Configure advanced security for compute

Manage Security Operations (25-30%)

Monitor security by using Azure Monitor
Monitor security by using Azure Security Center
Monitor security by using Azure Sentinel
Configure Security Policies

Secure Data and Applications (20-25%)

Configure security for storage
Configure security for databases
Configure and manage Key Vault