How to set up a geo-filtering policy for your Front Door

This tutorial shows how to use Azure PowerShell to create a sample geo-filtering policy and associate the policy with your existing Front Door frontend host. This sample geo-filtering policy will block requests from all other countries except United States.

1. Set up your PowerShell environment

Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources.

You can install Azure PowerShell on your local machine and use it in any PowerShell session. Follow the instructions on the page, to sign in with your Azure credentials, and install AzureRM.

# Connect to Azure with an interactive dialog for sign-in
Install-Module -Name AzureRM


Azure Cloud Shell support is coming soon.

Before install Front Door module, make sure you have the current version of PowerShellGet installed. Run below command and reopen PowerShell.

Install-Module PowerShellGet -Force -AllowClobber

Install AzureRM.FrontDoor module.

Install-Module -Name AzureRM.FrontDoor -AllowPrerelease

2. Define geo-filtering match condition(s)

First create a sample match condition that selects requests not coming from "US". Refer to PowerShell guide on parameters when creating a match condition. Two letter country code to country mapping is provided here.

$nonUSGeoMatchCondition = New-AzureRmFrontDoorMatchConditionObject -MatchVariable RemoteAddr -OperatorProperty GeoMatch -NegateCondition $true -MatchValue "US"

3. Add geo-filtering match condition to a rule with Action and Priority

Then create a CustomRule object nonUSBlockRule based on the match condition, an Action, and a Priority. A CustomRule can have multiple MatchCondition. In this example, Action is set to Block and Priority to 1, the highest priority.

$nonUSBlockRule = New-AzureRmFrontDoorCustomRuleObject -Name "geoFilterRule" -RuleType MatchRule -MatchCondition $nonUSGeoMatchCondition -Action Block -Priority 1

Refer to PowerShell guide on parameters when creating a CustomRuleObject.

4. Add Rules to a Policy

This step creates a geoPolicy policy object containing nonUSBlockRule from previous step in the specified resource group. Use Get-AzureRmResourceGroup to find your ResourceGroupName $resourceGroup.

$geoPolicy = New-AzureRmFrontDoorFireWallPolicy -Name "geoPolicyAllowUSOnly" -resourceGroupName $resourceGroup -Customrule $nonUSBlockRule  -Mode Prevention -EnabledState Enabled

Refer to PowerShell guide on parameters when creating a policy.

Last steps are to link the protection policy object to an existing Front Door frontend host and update Front Door properties. You first retrieve your Front Door object by using Get-AzureRmFrontDoor, followed by setting its frontend WebApplicationFirewallPolicyLink property to resourceId of the geoPolicy.

$geoFrontDoorObjectExample = Get-AzureRmFrontDoor -ResourceGroupName $resourceGroup
$geoFrontDoorObjectExample[0].FrontendEndpoints[0].WebApplicationFirewallPolicyLink = $geoPolicy.Id

Use the following command to update your Front Door object.

Set-AzureRmFrontDoor -InputObject $geoFrontDoorObjectExample[0]


You only need to set WebApplicationFirewallPolicyLink property once to link a protection policy to a Front Door frontend host. Subsequent policy updates will automatically apply to the frontend host.

Next steps