Install the Azure Front Door Enforcer

If your organization uses Azure Front Door, you can use HUMAN's Azure Front Door Enforcer to protect against malicious behavior, which dictates how traffic should be handled per your organization's standards. The Azure Enforcer combines Azure's Front Door CDN caching functionality with the Azure Function App's ability to run serverless code in the cloud.

azure_enforcer_diagram
  1. The client sends a request to Azure Front Door.
  2. Front Door sends the incoming request to the Function App origin group.
    1. Reduces Function App invocations in the case of First Party requests.
  3. If the Enforcer in the Function App passes the request, the Azure Function proxies the request back to the same Front Door domain.
  4. If not found in the cache, the Front Door Rule Set sends the request to the origin server.

You can learn how to install the Azure Front Door Enforcer with this article.

🚧

Warning

This process only works if you do not have an existing Enforcer integrated with your application. If you do, see our article on manual installation.

Prerequisites

  • An Azure subscription with at least a Contributor role and the following providers:
    • Microsoft.Cdn (for Front Door)
    • Microsoft.Storage (for Storage Accounts)
    • Microsoft.Sites (for App Service)
    • Microsoft.Resources (for Resource Groups)
    • Microsoft.Web (for Function Apps)
  • A supported Azure app service plan on the same region you want to deploy your Enforcer to. The supported plans are:
    • Basic
    • Standard
    • Premium
    • Isolated
  • An Azure resource group within the relevant subscription.
  • Depending on your preferred deployment method, the following tools:

Create a Service Principal Client Secret

The Enforcer requires a client secret from a Service Principal. If you have an existing one, you can use it to create a secret. If you don’t have one, you can follow the steps to create a new one.

Create a new Service Principal

  1. Follow the steps in Microsoft’s help article section Register an application with Microsoft Entra ID and create a service principal. While doing so, make sure that you do the following for the specified fields:
    • Name: Choose a descriptive name (e.g. "Human Security Enforcer Deploy Tool")
    • Supported account types: Select "Accounts in this organizational directory only"
    • Redirect URI: Leave blank
  2. After registering your Service Principal, note the Client (Application) ID and Tenant (Directory) ID. You’ll need these values later.

Create a client secret

  1. Follow the steps in Microsoft’s help article section Option 3: Create a new client secret.
  2. After you create the client secret, be sure to copy and save it in a secure place. You will not be shown the secret again.

Download the Enforcer configuration file

The Enforcer configuration file, enforcerConfig.json, has important information about your HUMAN account such as your Application ID or server token that the Enforcer uses to work with your application. If you don’t have one already, you need to download this file from the HUMAN console.

  1. Navigate to Platform Settings > Configurations > Enforcers.
  2. Click the Enforcer that you’re currently updating.
  3. Click the download button to download enforcerConfig.json.
  4. Save the file in a directory that you’ll remember, such as /deploy.

Run the Deploy Tool

You can run the Deploy Tool with either of the following methods:

Docker method

📘

Note for Windows users

Windows users also need to complete additional setup for Docker:

  1. In your Windows search bar, search for and open “Turn Windows features on or off”.
  2. Find the Windows Hypervisor Platform feature and enable it.
  3. Click OK to save your changes.
  4. Open Windows PowerShell as an Administrator.
  5. Copy and paste in C:\Windows\System32\wsl.exe --update --web-download, then hit Enter.
docker pull us-docker.pkg.dev/hmn-registry/docker-public/cdn-enforcer-deploy-tool
  1. Navigate to the directory where you created enforcerConfig.json. Based on our example from above, this would be the /deploy directory.
  2. Run the deploy tool with the following:
docker run --rm -v $PWD:/app/local -it us-docker.pkg.dev/hmn-registry/docker-public/cdn-enforcer-deploy-tool

Script method

  1. Navigate to the directory where you created enforcerConfig.json. Based on our example from above, this would be the /deploy directory.
  2. Pull the HUMAN Deploy Tool zip from Google Artifact Registry using:
wget 'https://artifactregistry.googleapis.com/v1/projects/hmn-registry/locations/us/repositories/enforcers-public/files/cdn-enforcer-deploy-tool_win:1.3.0:cdn-enforcer-deploy-tool_win.zip:download?alt=media' -O cdn-enforcer-deploy-tool.zip
wget 'https://artifactregistry.googleapis.com/v1/projects/hmn-registry/locations/us/repositories/enforcers-public/files/cdn-enforcer-deploy-tool_unix:1.3.0:cdn-enforcer-deploy-tool_unix.zip:download?alt=media' -O cdn-enforcer-deploy-tool.zip
  1. Unzip cdn-enforcer-deploy-tool.zip to the same directory you saved enforcerConfig.json in.
  2. Run the tool by opening the appropriate script for your system:
    • Windows: cdn-enforcer-deploy-tool.bat
    • Mac or Linux: cdn-enforcer-deploy-tool.command

Deploy the Enforcer

  1. When prompted, select the Azure Front Door platform and hit Enter.
🚀 HUMAN CDN Enforcer Deploy Tool 🚀
? Which platform do you want to deploy to? (Use arrow keys)
  Fastly VCL
❯ Azure Front Door
  ...
  1. Continue to follow the steps that appear to complete your deployment.
  2. When you finish the setup, confirm that the displayed details are correct, then enter y to deploy the Enforcer.