5.5 Web Application Firewall (WAF)
📘Microsoft Azure Networking Solutions (AZ-700)
A Web Application Firewall (WAF) is a security service that protects your web applications from common threats and attacks, such as SQL injection, cross-site scripting (XSS), and other web vulnerabilities. In Azure, WAF is integrated with services like Azure Front Door and Application Gateway.
When designing a WAF deployment, the goal is to decide how and where to place WAF so that your applications are protected without disrupting traffic.
1. Understand Your WAF Deployment Options in Azure
Azure offers WAF in two main services:
- Azure Application Gateway WAF
- Deployed inside a virtual network (VNet).
- Protects web applications hosted in Azure or on-premises through private connectivity.
- Works at Layer 7 (HTTP/HTTPS).
- Supports regional deployments, meaning it protects traffic in one region.
- Azure Front Door WAF
- Deployed at the global edge, close to users worldwide.
- Protects applications with internet-facing endpoints.
- Offers global load balancing and application acceleration.
- Good for multi-region applications and high availability.
Key takeaway for the exam: Know when to use Application Gateway WAF vs Front Door WAF:
- Application Gateway WAF → regional, internal or internet-facing web apps.
- Front Door WAF → global, internet-facing, multi-region apps.
2. WAF Modes
When deploying a WAF, you must select a mode of operation:
- Detection mode
- WAF monitors traffic and logs suspicious requests.
- No requests are blocked.
- Useful for testing rules before enforcement.
- Prevention mode
- WAF blocks requests that match rules.
- Protects against real attacks in real-time.
Exam tip: Most designs start with detection mode to test, then switch to prevention mode after tuning rules.
3. Rule Sets
WAF uses rules to detect malicious traffic. Azure WAF supports managed and custom rules:
- Managed Rule Sets
- Provided by Microsoft.
- Protect against common vulnerabilities (OWASP Top 10).
- Example: SQL injection, XSS attacks.
- Versioning matters: Use the latest rule set for the best protection.
- Custom Rules
- You can allow, block, or rate-limit traffic based on:
- IP addresses
- Request size
- HTTP headers
- Query strings
- Useful to tune rules for your specific application.
- You can allow, block, or rate-limit traffic based on:
Key exam point: You may be asked which rules to use for general protection vs application-specific logic.
4. WAF Deployment Design Considerations
When designing a WAF deployment, consider:
- Placement
- WAF should be between users and the application.
- For Azure App Services, WAF sits in Front Door or Application Gateway in front of the app.
- For multi-region apps, Front Door is recommended.
- Scaling
- WAF should handle peak traffic without slowing down your apps.
- Use autoscaling in Application Gateway.
- Integration with other security services
- Azure WAF integrates with:
- Azure Monitor for logging
- Azure Security Center for threat intelligence
- Azure Sentinel for advanced threat detection
- Azure WAF integrates with:
- High Availability
- For critical applications, deploy WAF in multiple regions or behind Front Door.
- Ensure failover policies are set.
- Cost Considerations
- WAF in Front Door is billed globally per traffic processed.
- Application Gateway WAF is billed regionally, per instance size and throughput.
- Logging and Monitoring
- Enable diagnostic logs for:
- WAF alerts
- Blocked requests
- Rule set evaluation
- Logs help tune rules and meet compliance requirements.
- Enable diagnostic logs for:
5. Step-by-Step Example of a WAF Deployment
Let’s design a simple deployment for exam clarity:
Scenario: You have a web app hosted in East US, accessed globally.
- Choose service
- Since users are global, use Azure Front Door WAF.
- Configure WAF policy
- Start in Detection mode.
- Apply the latest OWASP managed rules.
- Add custom rules to block malicious IPs.
- Associate policy with Front Door
- Front Door handles routing and applies WAF rules to incoming traffic.
- Enable logging
- Send WAF logs to Log Analytics.
- Monitor alerts and tune rules.
- Switch to Prevention mode
- After testing for a week, switch to Prevention mode to block threats in real-time.
6. Exam Tips – WAF Design
- Remember service types: Application Gateway (regional) vs Front Door (global).
- Remember modes: Detection vs Prevention.
- Understand rules: Managed for common threats, Custom for app-specific needs.
- Consider scaling and high availability in your design.
- Always enable logging for monitoring and compliance.
- Think placement: WAF always sits in front of the application.
7. Quick Table: WAF Deployment Design Summary
| Aspect | Application Gateway WAF | Front Door WAF |
|---|---|---|
| Scope | Regional | Global |
| Use Case | Regional apps, VNet apps | Multi-region internet apps |
| Mode | Detection / Prevention | Detection / Prevention |
| Rules | Managed / Custom | Managed / Custom |
| Scaling | Autoscale in VNet | Global scaling |
| Logging | Azure Monitor, Log Analytics | Azure Monitor, Log Analytics |
✅ Summary for the Exam:
Designing a WAF deployment is about choosing the right WAF type, configuring rules, placing it correctly, ensuring scalability and availability, monitoring traffic, and protecting applications effectively. You should know service options, modes, rules, logging, and design considerations for any scenario given in the exam.
