--- title: Azure Front Door WAF disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Azure Front Door WAF disabled --- # Azure Front Door WAF disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-azure-azure-front-door-waf-disabled` **Provider:** Azure **Platform:** Terraform **Severity:** Low **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/frontdoor#web_application_firewall_policy_link_id) ### Description{% #description %} Azure Front Door should have a Web Application Firewall (WAF) enabled to protect applications from common web vulnerabilities and attacks such as SQL injection and cross-site scripting. If the `web_application_firewall_policy_link_id` attribute is not configured for the `frontend_endpoint` block, malicious traffic can reach backend resources without any inspection or filtering, increasing the risk of exploitation. To address this, ensure that WAF is linked, as shown below: ``` frontend_endpoint { name = "exampleFrontendEndpoint1" host_name = "example-FrontDoor.azurefd.net" web_application_firewall_policy_link_id = "id" } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "azurerm_frontdoor" "negative" { name = "example-FrontDoor" resource_group_name = azurerm_resource_group.example.name enforce_backend_pools_certificate_name_check = false routing_rule { name = "exampleRoutingRule1" accepted_protocols = ["Http", "Https"] patterns_to_match = ["/*"] frontend_endpoints = ["exampleFrontendEndpoint1"] forwarding_configuration { forwarding_protocol = "MatchRequest" backend_pool_name = "exampleBackendBing" } } backend_pool_load_balancing { name = "exampleLoadBalancingSettings1" } backend_pool_health_probe { name = "exampleHealthProbeSetting1" } backend_pool { name = "exampleBackendBing" backend { host_header = "www.bing.com" address = "www.bing.com" http_port = 80 https_port = 443 } load_balancing_name = "exampleLoadBalancingSettings1" health_probe_name = "exampleHealthProbeSetting1" } frontend_endpoint { name = "exampleFrontendEndpoint1" host_name = "example-FrontDoor.azurefd.net" web_application_firewall_policy_link_id = "id" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "azurerm_frontdoor" "positive" { name = "example-FrontDoor" resource_group_name = azurerm_resource_group.example.name enforce_backend_pools_certificate_name_check = false routing_rule { name = "exampleRoutingRule1" accepted_protocols = ["Http", "Https"] patterns_to_match = ["/*"] frontend_endpoints = ["exampleFrontendEndpoint1"] forwarding_configuration { forwarding_protocol = "MatchRequest" backend_pool_name = "exampleBackendBing" } } backend_pool_load_balancing { name = "exampleLoadBalancingSettings1" } backend_pool_health_probe { name = "exampleHealthProbeSetting1" } backend_pool { name = "exampleBackendBing" backend { host_header = "www.bing.com" address = "www.bing.com" http_port = 80 https_port = 443 } load_balancing_name = "exampleLoadBalancingSettings1" health_probe_name = "exampleHealthProbeSetting1" } frontend_endpoint { name = "exampleFrontendEndpoint1" host_name = "example-FrontDoor.azurefd.net" } } ```