Audit Front Door Access

Security · Front Door · 2020_06

Audit and monitor access through Front Door.

Description

To capture network activity through Front Door, diagnostic settings must be configured. When configuring diagnostics settings enable FrontdoorAccessLog logs.

Enable FrontdoorWebApplicationFirewallLog when web application firewall (WAF) policy is configured.

Management operations for Front Door is captured automatically within Azure Activity Logs.

Recommendation

Consider configuring diagnostics setting to log network activity through Front Door.

Examples

Configure with Azure template

To deploy a Front Door resource that passes this rule:

• Deploy a diagnostic settings sub-resource.
  • Enable logging for the FrontdoorAccessLog category.
  • Enable logging for the FrontdoorWebApplicationFirewallLog category.

For example:

Azure Template snippet

{
  "resources": [
    {
      "type": "Microsoft.Cdn/profiles",
      "apiVersion": "2021-06-01",
      "name": "[parameters('frontDoorName')]",
      "location": "Global",
      "sku": {
        "name": "Standard_AzureFrontDoor"
      }
    },
    {
      "type": "Microsoft.Insights/diagnosticSettings",
      "apiVersion": "2020-05-01-preview",
      "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('frontDoorName'))]",
      "name": "service",
      "location": "[parameters('location')]",
      "properties": {
        "workspaceId": "[parameters('workSpaceId')]",
        "logs": [
          {
            "category": "FrontdoorAccessLog",
            "enabled": true
          },
          {
            "category": "FrontdoorWebApplicationFirewallLog",
            "enabled": true
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]"
      ]
    }
  ]
}

Configure with Bicep

To deploy a Front Door resource that passes this rule:

• Deploy a diagnostic settings sub-resource.
  • Enable logging for the FrontdoorAccessLog category.
  • Enable logging for the FrontdoorWebApplicationFirewallLog category.

For example:

Azure Bicep snippet

targetScope = 'resourceGroup'
resource frontDoorResource 'Microsoft.Cdn/profiles@2021-06-01' = {
  name: frontDoorName
  location: 'Global'
  sku: {
    name: 'Standard_AzureFrontDoor'
  }
}

resource frontDoorInsightsResource 'Microsoft.Insights/diagnosticSettings@2020-05-01-preview' = {
  name: 'frontDoorInsights'
  scope: frontDoorResource
  location: 'Global'
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'FrontdoorAccessLog'
        enabled: true
      }
      {
        category: 'FrontdoorWebApplicationFirewallLog'
        enabled: true
      }
    ]
  }
}

Links

• Monitoring metrics and logs in Azure Front Door Service
• Create a Front Door Standard/Premium using Bicep
• Security logs and alerts using Azure services

---

Last update: 2022-09-21

Comments