Appearance
Azure Front Door Routing
Azure Front Door (AFD) Standard/Premium is the global entry point for all Microtec environments. It provides TLS termination, WAF policy enforcement, global load balancing, health probing, and custom domain management.
Architecture
AFD Profile and Endpoints
Three AFD profiles exist across all environments, all located in mic-erp-global-rg:
| Profile | Environments | Resource Group |
|---|---|---|
mic-erp-fd | dev, stage | mic-erp-global-rg |
mic-erp-fd-2 | preprod, uat | mic-erp-global-rg |
mic-erp-prod-fd | production | mic-erp-global-rg |
Each environment gets its own AFD endpoint (hostname):
| Environment | AFD Profile | Custom Domains |
|---|---|---|
| dev | mic-erp-fd | *.microtec-test.com |
| stage | mic-erp-fd | *.microtecstage.com |
| preprod | mic-erp-fd-2 | *.microtec-preprod.com |
| uat | mic-erp-fd-2 | *.microtec-uat.com |
| production | mic-erp-prod-fd | *.onlinemicrotec.com.sa |
Origin Groups
Gateway Origin Group
Routes all API traffic to the YARP API Gateway.
| Property | Value |
|---|---|
| Name | gateway-og |
| Load balancing | Round-robin (single origin per env) |
| Session affinity | Disabled |
| Health probe path | /health |
| Health probe interval | 30 seconds |
| Health probe method | GET |
| Failover threshold | 3 consecutive failures |
Origin (per environment):
Origin hostname: mic-gateway.<env>.azurecontainerapps.io
Origin port: 443
Priority: 1
Weight: 1000Keycloak Origin Group
Routes all /auth/ and /realms/ paths to Keycloak.
| Property | Value |
|---|---|
| Name | keycloak-og |
| Health probe path | /health/ready |
| Health probe interval | 30 seconds |
| Session affinity | Enabled (cookie-based, required for Keycloak OIDC flow) |
Frontend Origin Group
Routes static asset requests to the Angular SPA served from Azure Blob Storage static website hosting.
| Property | Value |
|---|---|
| Name | frontend-og |
| Origin | Storage account static website endpoint |
| Health probe path | /index.html |
| Cache behaviour | Cache Angular chunk files for 7 days; do not cache index.html |
Routing Rules
Routes are evaluated in priority order (lower number = higher priority):
| Priority | Rule Name | Match Conditions | Destination |
|---|---|---|---|
| 1 | api-route | Path begins with /api/ | gateway-og |
| 2 | auth-route | Path begins with /auth/ or /realms/ | keycloak-og |
| 3 | health-route | Path equals /health | gateway-og |
| 4 | frontend-route | All other paths | frontend-og |
HTTPS Redirect Rule
A separate rule redirects HTTP to HTTPS with a 301 permanent redirect:
Match: HTTP (port 80), any path
Action: Redirect to HTTPS, 301TLS / HTTPS Configuration
Custom Domain TLS
AFD manages TLS certificates for all custom domains via AFD-managed certificates (auto-renewed, no manual certificate management required):
Certificate type: AFD Managed
Minimum TLS version: TLS 1.2
HTTPS only: Enforced via redirect ruleTLS Offload
TLS is terminated at the AFD POP (Point of Presence). Traffic from AFD to the Container App origins travels over HTTPS (re-encrypted with the Container App's managed certificate). This is the "end-to-end TLS" model:
Client ──HTTPS──► AFD POP ──HTTPS──► Container AppAFD validates the origin certificate. Container Apps use *.azurecontainerapps.io certificates issued by Microsoft, which are trusted by AFD by default.
WAF Policy
Each AFD endpoint is associated with a WAF policy in Prevention mode. The AFD SKU is Standard_AzureFrontDoor (not Premium). DDoS protection is not enabled.
| Property | Value |
|---|---|
| Policy name | micErpWafPolicy{Env} |
| AFD SKU | Standard_AzureFrontDoor |
| Mode | Prevention (blocks and logs) |
| Managed ruleset | DefaultRuleSet 2.1 (OWASP Core Rule Set 3.2 equivalent) |
| Bot protection | Enabled (BotManagerRuleSet 1.0) |
| DDoS Protection | Not enabled |
Custom WAF Rules
Additional custom rules layered on top of the managed ruleset:
| Rule | Action | Description |
|---|---|---|
BlockNonAFD | Block | Blocks requests not arriving through AFD (checks X-Azure-FDID header) |
RateLimit-Global | Log | Rate limit: 10,000 requests per 5 minutes per client IP |
BlockSuspiciousUA | Block | Blocks known scanner user agents (sqlmap, nikto, etc.) |
AllowHealthChecks | Allow (high priority) | Bypasses WAF for /health endpoints from known probe IPs |
WAF Exclusions
Some API paths require WAF exclusions to prevent false positives from legitimate payloads (e.g. Zatca XML invoice bodies trigger SQL injection rules):
Exclusion: RequestBodyContents for path /api/v1/zatca/*
Rule: SQL injection rules (sqli group)
Justification: Zatca XML payloads contain SQL-like keywords in invoice metadataHealth Probes
AFD health probes verify origin availability before routing traffic:
Health probe source IPs are in the AzureFrontDoor.Backend service tag. The public CAE NSG allows this tag on ports 80 and 443.
Caching Configuration
AFD caching is configured per-route:
| Route | Caching | TTL |
|---|---|---|
/api/* | Disabled | N/A |
/auth/* | Disabled | N/A |
/assets/* | Enabled | 7 days |
/*.chunk.js | Enabled | 30 days (content-addressed) |
/index.html | Disabled | N/A (always fresh) |
Cache purge after deployment:
bash
az afd endpoint purge \
--resource-group mic-erp-global-rg \
--profile-name mic-erp-prod-fd \
--endpoint-name mic-erp-prod \
--domains "erp.onlinemicrotec.com.sa" \
--content-paths "/*"