Azure CDN – Standard Microsoft: Rules Engine for http to https redirection
Published Aug 09 2019 02:43 AM 10.2K Views
Microsoft

Use Case:

While we have rules engine features for premium Verizon CDN endpoint, recently we have introduced rules engine feature for Microsoft CDN. While I am writing this blog, it’s in preview.

This blog explains how you can utilize this Rules engine feature in Microsoft Standard Azure CDN to redirect your request URL from http to https using PowerShell.

 

Update: This feature is now available to enable on the Azure Portal as well, Please find the following guidelines to do the same from Azure Portal: Enforce https using Azure CDN Standard Rules Engine

 

Pre-requisites:

I assume that you already have an Azure CDN created with Microsoft Standard profile. If you don’t have one created already, follow this.

Ensure you have the Az.Cdn module installed on your machine. To check if the Az.CDN is installed or not, you can do the following,

 

  • Open PowerShell as Administrator

 

  • Run command Import-Module Az.Cdn

 

  • If the above command doesn’t throw any error, you have the Az.Cdn PowerShell module

installed and the module is successfully imported in the current session.

 

The following error while running Import-Module command means that you don’t have the Az.Cdn module installed yet. To install you have to run Install-Module -Name Az.Cdn -force command.

first.jpg

 

If you see the below error while running the install command then you need to run Install-Module -Name Az.Cdn -AllowClobber -Scope CurrentUser command to install it.

2.jpg

 

  • Now to check if the Az.Cdn module is installed successfully, you can try importing the module using the command: Import-Module Az.Cdn

 

You may be prompted to confirm so that it can import this module for the first time.

3.jpg

 
  • You can also run Get-Module command to confirm if it’s imported successfully in your PowerShell session and what version it’s currently using:

 

PS command: Get-Module Az.Cdn

4.jpg

 

Make sure you use the latest version of Az.Cdn i.e. 1.3.0 so that you can use the new cmdlet which are released for setting the rules engine for a CDN endpoint.

 

Steps:

Ensure that the above pre-requisites are followed before proceeding with the following steps.

 

Launch a new PowerShell session and run the following cmdlets:

 

#To connect to Azure account

Connect-AzAccount

 

#set the rule condition when the action will be performed | Updated the below command with latest details

$RuleCondition = New-AzCdnDeliveryRuleCondition -MatchVariable 'RequestScheme' -Operator Equal -MatchValue "HTTP"

 

#Set the action what it should to once the condition is met, here we are doing http to https redirection

$RuleAction = New-AzCdnDeliveryRuleAction -RedirectType Moved -DestinationProtocol Https

 

#Set the Rule with condition and action we just created above

$Rule = New-AzCdnDeliveryRule -Name "rule1" -Order 1 -Condition $RuleCondition -Action $RuleAction

 

#Set the Azuer CDN delivery policy with the rule

$policy = New-AzCdnDeliveryPolicy -Description "RedirectPolicy" -Rule $Rule

 

#get the CDN endpoint reference

#please replace the below parameters as per the CDN endpoint details

$ep = Get-AzCdnEndpoint -ProfileName "<CDN Profile Name>" -EndpointName "<CDN Endpoint Name>" -ResourceGroupName "<Resource Group Name>"

 

#Assign the delivery policy to the CDN endpoint variable

$ep.DeliveryPolicy = $policy

 

#Now call the set CDN endpoint to save the changes on the CDN endpoint

Set-AzCdnEndpoint -CdnEndpoint $ep

 

Hope this helps.

 

Updating the reference articles for more details on CDN standard rules engine feature:

1. https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine-reference 

2. https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine-match-conditions 

3. https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine-actions 

20 Comments
Copper Contributor

Thanks, This document has helped me a lot.

 

But, is there a way to remove the policy that has been attached.

Microsoft

@varadasandeep you're welcome.

<Updating the answer as per the latest release>

To remove the policy from an endpoint, you can do a Get-AzCdnEndpoint to retrieve endpoint data. Once you get the endpoint data, make a call to clear the delivery policy rules, then do Set-AzCdnEndpoint with the updated endpoint data.

E.g.

 

#get the CDN endpoint reference
$ep = Get-AzCdnEndpoint -ProfileName "<CDN Profile Name>" -EndpointName "<CDN Endpoint Name>" -ResourceGroupName "<Resource Group Name>"
#clear the Rules of CDN endpoint
$ep.DeliveryPolicy.Rules.Clear()
Set-AzCdnEndpoint -CdnEndpoint $ep
Copper Contributor

Hello!  We keep getting the following error when trying to run the Set-AzCdnEndpoint cmdlet for a Standard Microsoft CDN Profile.  Tested on Az.Cdn 1.3.0, 1.3.3, and current Cloud Shell.

Set-AzCdnEndpoint : Operation returned an invalid status code 'BadRequest'

 

With the following in the 400 response:

"message": "A type named 'Microsoft.Azure.Cdn.Models.DeliveryRuleUrlRedirectActionParameters' could not be resolved by the model. When a model is available, each type name must resolve to a valid type."

 

Are you able to reproduce this?

 

Copper Contributor
Same as @jcrosbyrwb here. BadRequest on Set-AzCdnEndpoint with As.Cdn 1.3.1 Any help about this?
Microsoft

Hello @jcrosbyrwb & @technetColmar ,

I'm able to reproduce this error, seems like something has changed, I'm checking more on this internally, will post further updates on this.

Microsoft

Hello @technetColmar & @jcrosbyrwb ,

There was a fix planned to release for this issue in next 2-3 weeks, you can expect this to work by then. I'll update this thread once the fix is deployed for it.

Copper Contributor

Thank you @Braja!  We're holding up a production rollout of a site, so this fix will be much appreciated.

Copper Contributor

This seems to have been resolved now. I just completed the steps without error today. However, this then resulted in an infinite redirect as it seemed to be matching HTTPS as well as HTTP. Given that the rule only matches GET verbs and ignores the scheme, I guess this was to be expected. I tried to guess how to add another condition:

$protocolCondition = New-AzCdnDeliveryRuleCondition -MatchVariable 'RequestScheme' -Operator Equal -MatchValue "HTTP"
$ep.DeliveryPolicy[0].Rules[0].Conditions.Add($protocolCondition)

However, after saving the endpoint there seemed to be no change in behaviour. Unfortunately then trying this:

$ep.DeliveryPolicy = $null
Set-AzCdnEndpoint -CdnEndpoint $ep

...did not remove the policy. When retrieving the endpoint again and inspecting it, the policy is still present with all the same conditions and rules. I think Set-AzCdnEndpoint decided that as I wasn't providing a DeliveryPolicy I must not be wanting to alter the current state.

 

The following mechanism did clear out the policy and at least remove the infinite redirect problem (though no solution for HTTP => HTTPS redirect):

$ep.DeliveryPolicy.Rules.Clear()
Set-AzCdnEndpoint -CdnEndpoint $ep

@Braja it would be enormously useful if you could indicate the correct syntax for matching only HTTP requests in the conditions. Thanks!

Copper Contributor

Okay, so trying this again it seems that if I use only the "RequestScheme" condition mentioned in my last comment, and not the "GET" condition, it works. It is also possible that when I tried to have both conditions in the rule yesterday I did not leave enough time for the policy to propagate before testing it. This time my successful tests were half an hour after applying the policy. Immediate testing had still shown that it didn't work.

Microsoft

Hello everyone,
Sorry for the delayed response as i was away from work for sometime.
 
Checked the updates here internally and understood that the fix had been pushed and the http to https redirection rule shall work, however you need to use the "RequestScheme" rule condition instead of "RequestMethod" as suggested by @Josh_Gallagher in his comments above. Thanks @Josh_Gallagher for sharing details.
 
As indicated in this article, this feature is still in preview as such, it may be subject to frequent changes, and may not be suitable for production deployments yet.

Copper Contributor

Thank you @Josh_Gallagher 

 

I confirm "RequestScheme" works, although I had to wait a few hours before seeing a consistent redirect on every device and browser.

Copper Contributor

@Braja Can you update the top example so that it works when people come across it without them having to read through the entire comment history?

 

Copper Contributor

Using this logic, I am still receiving "BadRequest" on a standard_microsoft cdn

 


$RuleCondition = New-AzCdnDeliveryRuleCondition -MatchVariable 'RequestScheme' -Operator Equal -MatchValue "HTTP"
$RuleAction    = New-AzCdnDeliveryRuleAction -RedirectType Moved -DestinationProtocol Https
$Rule          = New-AzCdnDeliveryRule -Order 1 -Condition $RuleCondition -Action $RuleAction
$policy        = New-AzCdnDeliveryPolicy -Description "RedirectPolicy" -Rule $Rule

$ep.DeliveryPolicy = $policy

Set-AzCdnEndpoint -CdnEndpoint $ep
Microsoft

Hello @erikoleary ,

Thank you for the heads up, I have now updated the PS scripts details with the working one. 

Regarding the "BadRequest" error that you're receiving, I notice that you missed to provide a name while creating a CDNDeliveryRule.

 

Please provide a name like follows (also mentioned in this article's PS scripts) and try again,

$Rule          = New-AzCdnDeliveryRule -Name "rule2" -Order 1 -Condition $RuleCondition -Action $RuleAction

Copper Contributor

@Braja i tried it all different ways, always badrequest

Microsoft

Hello @erikoleary ,

I tried this operation today and it's working fine for me and works for others too.

 

Have you installed the latest Az.Cdn PS module? If yes, then it seems this needs some isolation to find out why this is failing in your case, it would be better if you can open an Azure support request to engage the CDN support team.

Copper Contributor

@Braja This also does not work for me, I can get to the point of setting the AzCdnEndpoint, but each time, I get

  "Set-AzCdnEndpoint : Operation returned an invalid status code 'BadRequest'"

The Az.Cdn PS module is at 1.3.1, so this is not the issue.

Copper Contributor

@Braja does the rules engine support wild cards/regex? I am trying to redirect request to a specific container in my storage account if the URL contains a specific string pattern

Microsoft

Hello @deeksy@erikoleary ,

Recently, this http to https feature made available on Azure Portal to enable for a CDN endpoint. You can use "Rules Engine" blade to make the change via Azure Portal in case it's failing from PS for some reason.

Please find the guidelines to do the same from Azure Portal here : Enforce https using Azure CDN Standard Rules Engine

Microsoft

Hello @koushikraman ,

Please find the reference article which will help you guide through wildcard support details: https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine-reference 

Also, please find the following article for more details:

1. https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine-match-conditions 

2. https://docs.microsoft.com/en-us/azure/cdn/cdn-standard-rules-engine-actions 

 

Also, i have updated these links in this article to make everyone aware of it.

 

 

Version history
Last update:
‎Sep 15 2020 01:41 AM
Updated by: