I want to apply a geo filter to azure front door for countries that are outside of the US.
I've applied a waf policy (following the microsoft docs), but I'm not getting the desired result. All traffic appears to be denied. If I try a different country code, all traffic seems to be allowed.
Here's an example of a deny policy I'm trying to get working. If I apply this rule and test via locabrowser, the traffic is allowed.
I'm testing this theory by using locabrowser to simulate traffic from different locations.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"frontdoorwebapplicationfirewallpolicies_DenyChinaWafPolicy_name": {
"defaultValue": "DenyChinaWafPolicy",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"apiVersion": "2018-08-01",
"name": "[parameters('frontdoorwebapplicationfirewallpolicies_DenyChinaWafPolicy_name')]",
"location": "Global",
"properties": {
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention"
},
"customRules": {
"rules": [
{
"name": "geoFilterRule",
"priority": 1,
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 1,
"rateLimitThreshold": 0,
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"operator": "GeoMatch",
"negateCondition": false,
"matchValue": [
"CH"
]
}
],
"action": "Block"
}
]
},
"managedRules": {
"ruleSets": []
}
}
}
]
}
Geo-filtering in AFD is currently broken. It includes all the country instead of specific location. Fix is made and will be released soon. Will update here once the fix is updated.