IPwhitelisting on the CD server
In the serie ‘Advanced Azure Front Door configuration strategies for Sitecore Managed Cloud on Containers', this is part 4: IPwhitelisting on the CD server. Sitecore Managed Cloud comes in two flavours, webapps and containers. In my role as Senior Solution Architect at uxbee, I setup and configured the container variant for a customer. In this blog series I will share my configuration experiences with Azure Front Door in combination with Sitecore Managed Cloud.
So back to the specific project where we had to migrate the client’s websites one by one from the old environment to the new Sitecore managed cloud environment. It is important in this case that the new website cannot and should not be visited until after going live. But of course, the new website must be viewable by the migration team and the customer prior to going live. So it would be helpful if some websites on the CD could also be placed behind an IPWhitelist. In an earlier blog, I explained that Sitecore Managed Cloud comes with two Front Door WAF policies by default:
- xxxxxxxxxxxxxxxxxxxxxxxxxfdp – frontdoorpolicy
- xxxxxxxxxxxxxxxxxxxxxxxxxcmfdp - CM frontdoorpolicy
One for the CD where IPwhitelisting is disabled and one for the CM where IPWhitelist is enabled. For the CD environment it is all or nothing. Whereas you actually want to be able to choose which URL on the environment is behind an IPWhitelist and which is not. Out-of-the-box frontdoor has the following setup:
But we actually wanted the setup as shown on the image below:
To achieve that second setup, we need to program it into the Front Door main.tf file. You can find that file in de frontdoor folder of the infrastructure repository. I will take you through the components you need to program in the main.tf file.
First, look for the resource azurerm_frontdoor_firewall_policy. There a two resources of this type in the main.tf file (see image below).
One is called “this” and is for the CD, “this” is connected to the CD backend. The other one is called CM and is connected to the CM backend. Just below the “this” resource we need to place the following new resource definition:
As you can see from the image above, we will create a new firewall policy called “cdprivate”. All endpoints connected to this policy will be behind an IPWhitelist, all endpoints connected to the “this” policy will be accessible from the Internet.
Note that there are two important things!
First, in the match_condition, the variable match_values is filled with the local variable cd_whitelist. This is not a default in Sitecore! You can read how this is set up in my blog ‘Simplifying managing Azure Front Door IP whitelisting’.
Second, in the resource definition you will see the following local variable “local.frontdoor_cd_waf_policy_name_private” this is a new variable that we need to declare at the top of the file.
As you can see in the image above, we added the variable frontdoor_cd_waf_policy_name_private and filled it with the infrastructure_id and suffix of “fdpprivate”.
Merge your changes into the master branch with a PR and run the infrastructure pipeline. Once the pipeline is finished and shows no errors, go to the Azure Front Door interface and check if the new WAF policy has been created.
The final step to make this al work is to switch the endpoints that must be behind the IPWhitelist to the newly created xxxxxxxxxxxxxxxxxxfdpprivate policy. In the main.tf, go to the endpoint(s), as shown on the image below.
Fill the variable web_application_firewall_policy_link_id with the right policy id. This is very easy, simply add the line azurerm_frontdoor_firewall_policy.cdprivate.id.
After rearranging all endpoints, create a pull request to the master and re-run the infrastructure pipeline. Once the pipeline completed correctly, you can do the final check. Go to the Front Door in the Azure interface, open the Front Door designer and click on an endpoint that should be behind the IPWhitelist. A sheet will open on the right side.
Scroll down until you see the WEB APPLICATION FIREWALL section. In the policy dropdown the “private” policy should be selected. If this is the case, then you are up and running!
I hope this blog helps you manage the Sitecore Managed Cloud a little better and easier. If you have any questions as a result of this blog or any of the earlier parts, feel free to send me an email at firstname.lastname@example.org.