Azure Application Gateway Web App Firewall (WAF)

Protect your web applications from common exploits and vulnerabilities.

Introduction to Azure WAF

Azure Web Application Firewall (WAF) on Application Gateway provides centralized protection for your web applications from common web exploits and vulnerabilities that could compromise application integrity, potentially leading to unauthorized access or data loss.

WAF is a component of Application Gateway, a web traffic load balancer that enables you to manage traffic to your web applications. WAF is designed to protect against a range of common web threats, including:

  • SQL injection
  • Cross-site scripting (XSS)
  • Common attacks like directory traversal, remote file inclusion, and remote command execution
  • Other OWASP Top 10 vulnerabilities

Azure WAF offers protection to your web applications by inspecting incoming traffic. It can block malicious requests and can be deployed in front of any internet-facing web application.

Azure WAF supports both managed and custom rule sets, offering flexibility in how you configure your security policies.

Key Features

Azure WAF on Application Gateway provides a rich set of features to secure your web applications:

  • OWASP Rule Sets: Protection against the OWASP Top 10 vulnerabilities using managed rule sets.
  • Custom Rules: Ability to define your own rules based on IP addresses, request parameters, request body size, and more.
  • Rate Limiting: Prevent denial-of-service attacks by limiting the number of requests from a specific IP address.
  • Bot Protection: Identify and block malicious bots.
  • Geo-blocking: Restrict access to your applications based on geographical location.
  • Managed & Custom Rule Management: Easy management of both predefined and custom security rules.
  • False Positive Management: Tools to help tune WAF rules to minimize legitimate traffic blockage.
  • Extensive Logging and Reporting: Detailed logs for security analysis and auditing.

How WAF Works

Azure WAF inspects incoming web traffic at the Application Gateway layer. It analyzes HTTP requests against a set of predefined security rules (managed by OWASP core rule sets) and any custom rules you define. If a request is deemed malicious, WAF can take action, such as blocking the request or logging it for further investigation.

The WAF policy is associated with a listener on the Application Gateway. All traffic coming through that listener is then inspected by the WAF.

Inspection Process:

  1. Incoming HTTP/S request arrives at the Application Gateway listener.
  2. The WAF engine inspects the request against the configured WAF policy.
  3. The policy contains a list of rules, including managed (e.g., OWASP CRS) and custom rules.
  4. If any rule matches the malicious pattern, the configured action is taken (e.g., Deny).
  5. If no rules match, the request is allowed to proceed to the backend.
WAF inspection adds a small latency to request processing. Ensure this is accounted for in your application's performance requirements.

Deployment Scenarios

Azure WAF can be deployed in two primary modes:

1. WAF on Application Gateway (Managed Ruleset)

This is the most common deployment. You enable WAF directly on your Application Gateway instance. Azure manages the core rule sets (CRS), automatically updating them to protect against the latest threats.

Steps typically involve:

  1. Create or use an existing Application Gateway.
  2. Choose a WAF SKU (v1 or v2). WAF v2 offers improved performance and features.
  3. Create a WAF policy resource.
  4. Associate the WAF policy with the Application Gateway listener.

# Example using Azure CLI to create an Application Gateway with WAF
az network application-gateway create \
    --name myAppGateway \
    --resource-group myResourceGroup \
    --sku WAF_v2 \
    --enable-ssl-offload \
    --http-settings '{"cookieBasedAffinity": "Disabled", "requestTimeout": 20, "pickHostNameFromBackendAddress": true}' \
    --frontend-port 443 \
    --public-ip-address myPublicIP \
    --cert-file <path_to_your_ssl_cert> \
    --http-settings-cookie-based-affinity Disabled \
    --rule "RequestHeader=X-Forwarded-For, Type=Basic, Action=Append, Value=1.2.3.4"

2. WAF on Azure Front Door (Managed Ruleset)

Azure Front Door also offers WAF capabilities for global HTTP/S load balancing. If your application requires global distribution and edge protection, Azure Front Door with WAF might be a better fit.

Configuring WAF Policies

WAF policies define the security rules and actions that WAF takes. You can create and manage these policies independently of the Application Gateway.

Policy Modes:

  • Detection: WAF inspects traffic and logs suspicious requests but does not block them. This is useful for initial deployment and tuning.
  • Prevention: WAF inspects traffic, logs suspicious requests, and blocks them according to the configured rules.

Custom Rules:

You can create custom rules to match specific conditions based on:

  • Request headers
  • Request body
  • Request method
  • Request URI
  • Remote IP address
  • Geo-location
  • Cookie values
  • Post arguments

Each custom rule can specify an action, such as Allow, Block, or Log.

Carefully configure custom rules to avoid blocking legitimate traffic. Always start in Detection mode if unsure.

Understanding Rule Sets

Azure WAF uses two types of rule sets:

  • Managed Rule Sets: These are curated by Microsoft based on known threats and OWASP Top 10 vulnerabilities. They are automatically updated.
  • Custom Rule Sets: You define these rules based on your specific application needs and threat model.

You can create a WAF policy that combines both managed and custom rules. For example, you might use the managed rule set for general protection and add custom rules for specific application vulnerabilities.

Managed Rule Set Versions:

Azure WAF supports different versions of the OWASP Core Rule Set (CRS), allowing you to choose the most appropriate one for your security needs.

Monitoring and Logging

Effective monitoring is crucial for understanding WAF's effectiveness and identifying potential threats. Azure WAF integrates with Azure Monitor and Azure Security Center.

WAF Logs:

  • WAF Logs: Contain detailed information about WAF-detected threats, including the rule that triggered, the matched data, and the action taken.
  • Application Gateway Logs: Provide general traffic flow information.

These logs can be sent to Azure Log Analytics, Azure Storage, or Event Hubs for analysis, reporting, and alerting.


# Example Kusto Query for WAF Logs
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where Properties.firewallMode == "Prevention"
| summarize count() by Properties.ruleId, Properties.message
| order by count_ desc

Best Practices

To maximize the effectiveness of Azure WAF:

  • Start in Detection Mode: Deploy WAF in detection mode first to identify potential false positives before enabling prevention mode.
  • Regularly Review Logs: Monitor WAF logs to understand threats and tune rules as needed.
  • Use WAF v2 SKU: Leverage the advanced features and performance of WAF v2.
  • Keep Managed Rules Updated: Ensure your WAF policy is using the latest managed rule sets.
  • Implement Custom Rules Wisely: Use custom rules to address specific application vulnerabilities that managed rules may not cover.
  • Integrate with Security Tools: Connect WAF logs to Azure Sentinel or other SIEM solutions for comprehensive security monitoring.
  • Test Thoroughly: Before going to production, test WAF rules with realistic attack scenarios and legitimate traffic.
View Official Azure Documentation