Skip to content

matthansen0/azure-enterprise-edge-lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.devcontainer
.devcontainer
 
 
.github
.github
 
 
apps
apps
 
 
dashboards
dashboards
 
 
docs
docs
 
 
infra
infra
 
 
scripts
scripts
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
azure.yaml
azure.yaml
 
 

Repository files navigation

Azure Enterprise Edge Lab

End-to-end Azure edge security lab — Front Door Premium with WAF, dual-region Container Apps failover, Microsoft Sentinel, SOC automation, and Azure Workbooks. One-click deploy with Bicep + Azure Developer CLI (azd).

Architecture Overview

Enterprise Edge Architecture

See docs/architecture.md for component details, caching strategy, WAF rules, and more.

Prerequisites

Open this repo in the provided Dev Container — all required tooling (Azure CLI, azd, Bicep, Node.js, Docker, ShellCheck, hey, jq, OpenSSH) is pre-installed.

Quickstart

1. Login (device code)

azd auth login --use-device-code
az login --use-device-code

2. Configure (optional)

# Defaults are set in .devcontainer/devcontainer.json remoteEnv.
# Override as needed:
export DEMO_PREFIX="afdemo"          # Resource naming prefix (lowercase, no hyphens)
export DEMO_LOCATION_A="eastus2"     # Primary region
export DEMO_LOCATION_B="westus2"     # Secondary region (failover)
export DEMO_RG="rg-afd-demo"         # Resource group name

3. Deploy

Security Copilot is not deployed by default (it bills at ~$4/hr per SCU). To opt in, set the parameter before deploying:

azd env set DEPLOY_SECURITY_COPILOT true
azd init              # First time: select environment name, subscription, location
azd up                # Provisions Bicep infra + builds/deploys app to both origins

Sandbox web page served through Azure Front Door

4. Run Sandbox Scripts

# Purge a path and verify cache refresh
bash scripts/purge.sh /static/version.json

# Generate traffic (benign load for rate-limit exercise)
bash scripts/generate-traffic.sh

# Toggle origin failover (disable/enable origin)
bash scripts/toggle-failover.sh disable origin-b
bash scripts/toggle-failover.sh enable origin-b

5. Destroy

azd down              # Deletes all provisioned resources

Sandbox Playbook

See docs/sandbox-playbook.md for a walkthrough with exact commands and expected output.

Documentation Index

Document Description
Architecture System architecture and component map
Sandbox Playbook Walkthrough with commands and expected output
Analytics KQL KQL queries for dashboards and ad-hoc analysis
Operating Model RACI, support tiers, SLA-backed incident flow
Migration & Onboarding Phased migration, rollback, DNS cutover
TLS / Certificate Mgmt Managed vs. BYOC certs, rotation
SOC Automation Stub Sentinel automation / Logic App skeleton

Design Principles

  • No real exploit payloads — WAF blocking is shown with safe custom headers and benign traffic.
  • Fully idempotent — deploy and destroy cleanly.
  • Self-contained — everything needed to deploy is in this repo.

About

End-to-end Azure edge security lab: Front Door Premium with WAF, dual-region Container Apps failover, Microsoft Sentinel, SOC automation, and Azure Workbooks. One-click deploy with Bicep + azd.

Topics

cdn azure waf web-application-firewall azure-front-door microsoft-sentinel

Resources

Readme
Activity

Stars

18 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases 1

v1.0 Latest
Mar 25, 2026

Packages

 
 
 

Contributors

Languages