5.5 Web Application Firewall (WAF)
📘Microsoft Azure Networking Solutions (AZ-700)
Configure WAF Rule Sets for Azure Front Door and Application Gateway
A Web Application Firewall (WAF) protects your web applications from common threats such as SQL injection, cross-site scripting (XSS), and other web attacks. In Azure, WAF can be deployed with:
- Azure Front Door (AFD) – a global, layer 7 load balancer for fast, secure delivery of web traffic.
- Azure Application Gateway (App Gateway) – a regional, layer 7 load balancer with more advanced WAF capabilities.
Configuring WAF includes selecting and managing rule sets, which define how WAF inspects and blocks traffic.
1. WAF Rule Sets Overview
A WAF rule set is a pre-defined collection of rules that protect web applications. Azure uses OWASP (Open Web Application Security Project) Core Rule Sets (CRS), which are regularly updated to protect against known vulnerabilities.
- OWASP CRS Versions: Azure currently supports 3.0, 3.1, 3.2, and 3.3. Each version includes updated rules for emerging threats.
- Types of Rules:
- Request blocking rules: Block malicious requests.
- Detection rules: Log suspicious requests without blocking them.
- Custom rules: Specific rules you can create based on IP, geolocation, HTTP parameters, or headers.
Exam Tip: Know that WAF has managed rule sets (OWASP CRS) and custom rules, and that rule sets differ slightly between Front Door and Application Gateway.
2. WAF on Azure Front Door
Azure Front Door is global and ideal for protecting applications accessible worldwide. WAF here inspects requests before they reach your backend servers.
Steps to Configure WAF Rule Sets in Front Door:
- Create a WAF Policy
- Go to Azure Portal → Front Door WAF policies → Create.
- Choose:
- Policy mode:
- Detection – Only log attacks.
- Prevention – Block attacks.
- Rule set version (e.g., OWASP 3.2).
- Policy mode:
- Associate the WAF Policy with Front Door
- Link the WAF policy to frontend hosts (your domains in Front Door).
- WAF now inspects all incoming HTTP/HTTPS requests.
- Customize Rule Sets (Optional)
- Enable/disable specific rules: e.g., turn off false positives for specific legitimate traffic patterns.
- Add custom rules: e.g., block requests from specific countries or IP ranges.
- Monitoring and Logging
- Enable Azure Monitor logs to view blocked requests, detection alerts, and rule matches.
- You can see which rules are triggered most frequently and adjust policies accordingly.
Key Points for Exam:
- WAF on Front Door is global.
- Rule sets are managed by OWASP CRS.
- You can enable detection or prevention mode.
- Custom rules are optional but can target IP, country, or HTTP parameters.
3. WAF on Application Gateway
Application Gateway is regional and sits inside your virtual network (VNet). WAF inspects requests that pass through the gateway before reaching your web servers.
Steps to Configure WAF Rule Sets in Application Gateway:
- Create a WAF Policy
- Go to Azure Portal → Application Gateway WAF policies → Create.
- Choose:
- Policy mode: Detection or Prevention.
- Rule set version: OWASP 3.x.
- Associate WAF Policy with App Gateway
- You can link the WAF policy to:
- Listeners – specific endpoints.
- Global Gateway – all traffic through the App Gateway.
- You can link the WAF policy to:
- Customize Rule Sets (Optional)
- Enable/disable managed rules (OWASP CRS rules).
- Add custom rules based on:
- IP address
- HTTP header
- Query string
- Geo-location
- Monitoring and Logging
- Use Diagnostic logs in Azure Monitor to track blocked requests and WAF events.
- Integrate with Azure Sentinel or Log Analytics for centralized monitoring.
Key Points for Exam:
- WAF on Application Gateway is regional.
- Supports OWASP managed rule sets and custom rules.
- Can associate WAF policies with listeners or the entire gateway.
- Logging is crucial for tuning WAF policies to avoid false positives.
4. Differences Between Front Door and Application Gateway WAF
| Feature | Front Door WAF | Application Gateway WAF |
|---|---|---|
| Scope | Global | Regional (VNet) |
| Managed Rule Sets | OWASP CRS | OWASP CRS |
| Custom Rules | Yes (IP, Country, Headers, Query) | Yes (IP, Country, Headers, Query) |
| Modes | Detection / Prevention | Detection / Prevention |
| Use Case | Internet-facing, global apps | Internal or regional web apps |
Exam Tip: Understand which WAF to use for global vs. regional apps and how rule sets are applied in each.
5. Best Practices for WAF Rule Sets
- Start with Detection Mode to monitor traffic without blocking.
- Use latest OWASP CRS version for up-to-date protection.
- Customize rules carefully to prevent blocking legitimate traffic.
- Enable logging and alerts for monitoring and auditing.
- For global apps, use Front Door WAF; for regional or internal apps, use Application Gateway WAF.
Summary for Exam
- WAF protects web apps using managed (OWASP CRS) and custom rules.
- Front Door WAF: global, attach to frontend hosts.
- Application Gateway WAF: regional, attach to listeners or gateway.
- Modes: Detection (logs) or Prevention (blocks).
- Always enable monitoring and adjust rules to avoid false positives.
By remembering these points, you can confidently answer questions on configuring WAF rule sets for both Azure Front Door and Application Gateway on the AZ-700 exam.
