Azure Application Gateway Firewall (WAF)

Secure your web applications with advanced protection

What is Azure WAF?

Azure Web Application Firewall (WAF) on Azure Application Gateway protects your web applications from common web exploits and vulnerabilities such as SQL injection, cross-site scripting (XSS), and malicious bots. It acts as a reverse proxy and sits in front of your web applications, inspecting incoming traffic.

WAF provides centralized protection for your web applications, making it easier to manage security policies and respond to threats. It supports both managed rule sets from the Open Web Application Security Project (OWASP) and custom rules for more granular control.

Key Features

  • Protection against common threats: Defends against OWASP Top 10 vulnerabilities like SQL injection and XSS.
  • Managed Rule Sets: Utilizes pre-configured rule sets from OWASP that are regularly updated by Microsoft.
  • Custom Rules: Allows you to define your own rules based on IP addresses, request headers, query strings, and more.
  • Rate Limiting: Protects against denial-of-service (DoS) attacks by limiting the number of requests from a single IP address.
  • Bot Protection: Identifies and blocks malicious bots.
  • Geo-blocking: Restricts access to your applications based on the geographic location of the requestor.
  • Geo-filtering: Control which geographic regions can access your applications.
  • Session Tracking: Monitors and tracks user sessions for suspicious activity.
  • Detection Mode: You can run WAF in detection mode to log malicious requests without blocking them, allowing you to fine-tune rules.
  • Prevention Mode: Actively blocks malicious traffic based on configured rules.

Configuration Steps

Configuring WAF involves several steps, typically performed through the Azure portal, Azure CLI, or Azure PowerShell:

  1. Deploy Application Gateway: Ensure you have an Application Gateway instance deployed.
  2. Enable WAF: Associate a WAF policy with your Application Gateway.
  3. Choose WAF Mode: Select either Detection or Prevention mode.
  4. Configure Rule Sets: Enable OWASP managed rule sets (e.g., CRS 3.2, CRS 3.1, CRS 3.0) and define their sensitivity level.
  5. Create Custom Rules: Define custom rules for specific protection needs.
  6. Configure Exclusion Lists: Specify parts of the request that WAF should ignore.
  7. Set up Monitoring: Configure diagnostics settings to send WAF logs to Azure Monitor, Log Analytics, or Azure Storage.

Example Azure CLI command to enable WAF on an existing Application Gateway:


az network application-gateway waf-policy create \
    --name MyWAFPolicy \
    --resource-group MyResourceGroup \
    --location westus2 \
    --sku Premium_WAF_v2 \
    --rule-set-type OWASP \
    --rule-set-version 3.2

az network application-gateway update \
    --name MyAppGateway \
    --resource-group MyResourceGroup \
    --set sku.name=WAF_v2 \
    --set sku.tier=WAF_v2 \
    --set frontendIpConfigurations[0].publicIpAddress.id=/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Network/publicIPAddresses/MyAppGatewayPublicIP

OWASP Rule Sets

Azure WAF leverages OWASP Core Rule Sets (CRS) to detect and block threats. You can choose from different versions:

  • OWASP CRS 3.2: The latest recommended version, offering enhanced security and performance.
  • OWASP CRS 3.1: A stable and widely used version.
  • OWASP CRS 3.0: An older but still supported version.

Each rule set contains numerous rules categorized by threat type. You can enable/disable specific rule groups or individual rules and set their action (e.g., Block, Log, Allow).

Important: Regularly review and update your WAF rule sets to ensure protection against the latest threats.

Monitoring and Logging

Effective monitoring is crucial for understanding WAF activity and identifying potential attacks. Azure WAF integrates with Azure Monitor for comprehensive logging and analysis.

  • WAF Logs: WAF generates logs for allowed requests, blocked requests, and detected threats.
  • Metrics: Monitor key performance indicators such as WAF blocked requests, WAF allowed requests, and overall WAF health.
  • Azure Monitor: Send WAF logs to Log Analytics for querying and visualization, or to Azure Storage for long-term archival.
  • Alerting: Configure alerts in Azure Monitor based on WAF log data or metrics to notify you of suspicious activity.

Key log fields include:

  • Timestamp
  • Client IP
  • Request URL
  • Rule ID
  • Rule Message
  • Action Taken (Block/Log)

Best Practices

  • Start in Detection Mode: Begin by deploying WAF in detection mode to monitor traffic and identify potential false positives before enforcing blocking rules.
  • Regularly Update Rule Sets: Keep your WAF managed rule sets up-to-date to benefit from the latest threat intelligence.
  • Tune Custom Rules: Develop and refine custom rules based on your application's specific needs and traffic patterns.
  • Use Exclusion Lists Wisely: Only exclude specific request elements when absolutely necessary and document the reasons.
  • Monitor WAF Logs Continuously: Regularly review WAF logs and metrics to detect and respond to threats promptly.
  • Configure Geo-Filtering: Restrict access to regions that do not require access to your application.
  • Enable Bot Protection: Leverage WAF's capabilities to mitigate risks from automated bot traffic.
  • Integrate with SIEM: Forward WAF logs to a Security Information and Event Management (SIEM) system for centralized security monitoring and analysis.