5.5 Web Application Firewall (WAF)
📘Microsoft Azure Networking Solutions (AZ-700)
Overview
A Web Application Firewall (WAF) is a security service that protects your web applications from common threats like:
- SQL injection attacks
- Cross-site scripting (XSS)
- Bad bots
- Vulnerabilities exposed by OWASP Top 10
Azure WAF can be deployed with:
- Azure Application Gateway
- Azure Front Door
- Azure CDN
Mapping requirements to WAF features means understanding what your security or application needs and then choosing the right WAF features and configurations to meet those needs.
Step 1: Identify WAF Requirements
Before you can map features, you need to identify what your environment needs. Typical WAF requirements include:
- Protect against common web attacks
- Example: Prevent SQL injection and XSS attacks targeting your web apps.
- Centralized policy management
- You might want one policy applied to multiple web apps, instead of configuring security individually.
- Custom rules for your app
- Sometimes default rules aren’t enough. You may need custom rules to block specific requests or IPs.
- Logging and monitoring
- Security teams want visibility into attacks, blocked requests, and alerts.
- Bot protection
- Some apps need to allow good bots (like Googlebot) but block malicious bots.
- SSL/TLS termination and inspection
- Ensures WAF can inspect encrypted traffic before it reaches the app.
- Performance optimization
- Must handle high traffic without slowing the application.
Step 2: Match Requirements to WAF Features
Here’s a detailed mapping of common requirements to Azure WAF features:
| Requirement | WAF Feature | Explanation |
|---|---|---|
| Protect against OWASP Top 10 attacks | Managed Rule Sets | WAF has built-in managed rule sets that automatically block SQL injection, XSS, and other common attacks. |
| Centralized security for multiple apps | Policy-based deployment | You can create WAF policies and apply them to multiple Application Gateways or Front Door instances, making management easier. |
| Need custom rules | Custom rules | Allows you to define rules based on IP address, request size, HTTP headers, or query strings. For example, block requests from a suspicious IP range. |
| Logging and monitoring | Diagnostics logs & metrics | WAF can log blocked requests, matched rules, and allow integration with Azure Monitor, Sentinel, or Storage accounts. |
| Bot protection | Bot protection rules | Detects bad bots and allows good bots using automated bot management. |
| SSL/TLS inspection | HTTPS/SSL termination | WAF can decrypt HTTPS traffic to inspect it for threats before passing it to the web server. |
| High availability and scalability | Integration with Front Door & Application Gateway | WAF can scale automatically and protect apps globally using Azure Front Door. |
| Real-time attack response | Rate limiting and blocking | Custom rules or managed rules can block repeated requests to protect from DDoS or brute force attacks. |
Step 3: WAF Deployment Options & Their Features
Azure WAF features slightly differ depending on where it’s deployed:
- WAF with Application Gateway
- Protects regional web apps.
- Provides Layer 7 protection.
- Can use custom and managed rules.
- WAF with Azure Front Door
- Protects global apps with traffic distributed across regions.
- Offers global load balancing + WAF security.
- WAF with Azure CDN
- Protects static content and reduces origin server load.
Exam Tip: Know the differences between deployment types and what features each supports.
Step 4: Best Practices for Mapping WAF Requirements
- Always start with managed rules – cover OWASP Top 10 by default.
- Use custom rules sparingly – only for application-specific needs.
- Enable logging – helps in audits and incident response.
- Test in “Detection Mode” first – WAF will log attacks but not block them, helping avoid false positives.
- Update rules regularly – security threats evolve, so WAF managed rules must be updated.
Step 5: Key Exam Pointers
For the AZ-700 exam:
- Understand the types of WAF rules:
- Managed rules (OWASP Top 10)
- Custom rules (IP, geo-location, headers, rate limiting)
- Know deployment scenarios:
- Application Gateway WAF → regional apps
- Front Door WAF → global apps
- Know logging and monitoring options:
- Integration with Azure Monitor and Sentinel
- Be able to map requirements to features:
- Example Question: “You need to block requests from certain IPs but allow global traffic via Front Door. Which WAF feature helps?” → Custom rules + Front Door WAF policy
✅ Summary in simple terms:
- Step 1: Identify what protection your app needs.
- Step 2: Map each requirement to a WAF feature.
- Step 3: Choose the right WAF deployment (App Gateway, Front Door, CDN).
- Step 4: Use managed rules first, then custom rules if needed.
- Step 5: Enable logging, monitoring, and test in detection mode.
This approach ensures all requirements are covered, which is exactly what AZ-700 expects.
