5.5 Web Application Firewall (WAF)
📘Microsoft Azure Networking Solutions (AZ-700)
A WAF (Web Application Firewall) is a security solution that protects your web applications from attacks such as SQL injection, cross-site scripting (XSS), and other threats targeting your application layer (Layer 7).
Implementing a WAF policy means creating rules and configurations that control how the WAF monitors, blocks, or logs traffic to your application.
1. WAF Policy Overview
A WAF policy is essentially a set of rules and configurations applied to a web application to protect it. In Azure, WAF policies are associated with:
- Azure Front Door (AFD) – Protects global applications with edge security.
- Azure Application Gateway (AppGW) – Protects applications deployed within your virtual network.
A WAF policy defines how traffic is inspected and what actions are taken.
2. Key Components of a WAF Policy
When implementing a WAF policy, you must understand its components:
- Policy Mode
- Detection Mode – WAF only logs suspicious activity; traffic is not blocked.
Useful for testing new rules or auditing traffic. - Prevention Mode – WAF blocks traffic that violates rules.
Used in production to protect applications.
- Detection Mode – WAF only logs suspicious activity; traffic is not blocked.
- Managed Rule Sets
- Predefined security rules from Azure that protect against common threats.
- Example: OWASP Core Rule Set (CRS) 3.2 protects against SQL injection, XSS, file inclusion attacks.
- You can enable/disable specific rules or set exceptions.
- Custom Rules
- Allow you to create rules based on IP addresses, request size, HTTP methods, query strings, or headers.
- Example: Block requests from a suspicious IP range or allow only POST requests to a login endpoint.
- Exclusions
- Sometimes your application has legitimate requests that look like attacks (e.g., certain special characters in URLs).
- WAF exclusions prevent these legitimate requests from being blocked.
- Example: A JSON payload may trigger an XSS rule. You can exclude the
Content-Type: application/jsonrequests.
- Policy Scope
- A WAF policy can be applied globally (for Front Door) or to specific listeners or backend pools (for Application Gateway).
3. Steps to Implement a WAF Policy in Azure
Here’s a simplified step-by-step process:
Step 1: Create a WAF Policy
- In the Azure portal, search for WAF policy → Create.
- Select the scope type: Front Door or Application Gateway.
Step 2: Choose Policy Mode
- Decide between Detection or Prevention.
- Example: Start in Detection mode for a new web app, then switch to Prevention after monitoring.
Step 3: Configure Managed Rules
- Add OWASP rule set to protect against common attacks.
- Enable/disable rules depending on your application’s needs.
- Example: Enable SQL injection prevention but disable rules blocking certain special characters required by your app.
Step 4: Add Custom Rules
- Create rules for specific traffic patterns.
- Example: Block all requests from a country where you don’t operate, or block HTTP methods like TRACE.
Step 5: Configure Exclusions
- Add exclusions for false positives.
- Example: Exclude
/api/datafrom certain XSS rules if your app sends JSON with special characters.
Step 6: Apply the Policy
- For Front Door: Associate with your Front Door frontend.
- For Application Gateway: Associate with a listener or the entire gateway.
Step 7: Monitor and Tune
- Use WAF logs (Azure Monitor / Log Analytics) to check blocked traffic.
- Adjust rules and exclusions to reduce false positives and maintain security.
4. Practical IT Examples
- Protecting a corporate login portal:
- WAF policy blocks SQL injection attempts on login forms.
- Only allows POST requests for authentication endpoints.
- Public API endpoint:
- WAF custom rule blocks suspicious IP ranges or countries.
- Exclusions prevent valid JSON requests from being blocked by XSS rules.
- Global website with Azure Front Door:
- WAF policy in Prevention mode blocks malicious traffic at the edge before it reaches the backend servers.
5. Exam Tips for AZ-700
- Know the difference between Detection and Prevention modes.
- Understand managed vs. custom rules.
- Be able to explain WAF exclusions and why they are needed.
- Know where policies can be applied (Front Door vs Application Gateway).
- Remember the importance of monitoring and tuning after deployment.
✅ Summary Table: WAF Policy Elements
| Component | Purpose | Example |
|---|---|---|
| Policy Mode | Defines if traffic is blocked or logged | Detection / Prevention |
| Managed Rules | Prebuilt rules for common threats | OWASP CRS 3.2 |
| Custom Rules | Rules for specific traffic patterns | Block IPs from a country |
| Exclusions | Avoid false positives | Exclude JSON POST requests from XSS rules |
| Scope | Where the policy applies | Front Door / Application Gateway listeners/backends |
This covers everything you need to know for implementing a WAF policy on the AZ-700 exam.
