Web Application Firewall (WAF)
The Azure Web Application Firewall (WAF) on Application Gateway provides centralized protection for your web applications from common exploits and vulnerabilities. WAF can detect and block malicious HTTP/S traffic, such as SQL injection attacks, cross-site scripting attacks, and more.
What is WAF?
A Web Application Firewall (WAF) is a security service that protects your web applications from common web exploits and vulnerabilities that could compromise application integrity or lead to data breaches. WAFs are differentiated from firewalls in that they operate at the application layer (Layer 7) of the OSI model, whereas traditional firewalls operate at lower layers of the network stack. WAFs can be placed in front of one or more web applications to inspect traffic. They help you to gain visibility into the HTTP/S traffic to and from your web application, and can also detect and block malicious HTTP/S requests. WAFs can be deployed as an on-premises appliance, or as a cloud-based service.
Key Features of Azure WAF
- Protection against common vulnerabilities: WAF protects against OWASP Top 10 vulnerabilities and other common web exploits.
- Managed rule sets: Azure WAF uses managed rule sets from Microsoft and the Open Web Application Security Project (OWASP) Core Rule Set (CRS).
- Custom rules: You can create your own custom rules to block specific IP addresses, deny malicious traffic based on request attributes, or set rate limiting.
- Geo-blocking: Restrict access to your applications based on geographic location.
- Bot protection: Identify and block malicious bots.
- Detection and prevention modes: Choose between detection mode (logs suspicious traffic) or prevention mode (blocks suspicious traffic).
- Detailed logging and reporting: Gain insights into detected threats and WAF activity.
WAF Policies
WAF policies are the core of how Azure WAF operates. A WAF policy defines the rules and configurations that WAF applies to traffic. You can associate a WAF policy with a specific Application Gateway.
Configuring WAF
You can configure WAF through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.
Creating a WAF Policy:
- Navigate to the Azure portal and search for "Web Application Firewall (WAF)".
- Click "Create".
- Select your subscription, resource group, and region.
- Choose a policy name and select the WAF mode (Detection or Prevention).
- Choose the managed rule set (e.g., OWASP CRS 3.2).
- Configure custom rules and other settings as needed.
- Review and create the policy.
Associating a WAF Policy with Application Gateway:
You can associate an existing WAF policy with an Application Gateway during its creation or by editing an existing Application Gateway:
- Go to your Application Gateway resource in the Azure portal.
- In the left-hand menu, under "Settings", select "WAF".
- Click "Add WAF policy" or select an existing policy to associate.
- Save the changes.
WAF Modes
- Detection Mode: WAF logs all detected threats but does not block the traffic. This is useful for identifying potential issues and tuning your rules.
- Prevention Mode: WAF actively blocks traffic that matches a threat signature or a custom rule.
Managed Rule Sets
Azure WAF offers two primary managed rule sets:
- Microsoft Managed Rules: Developed and maintained by Microsoft's security team, offering comprehensive protection.
- OWASP Core Rule Set (CRS): A widely recognized set of open-source rules for detecting common web attacks. You can choose specific versions of the CRS.
Custom Rules
Custom rules allow you to define your own security logic:
- IP address restrictions: Block or allow traffic from specific IP addresses or ranges.
- Match conditions: Define rules based on request headers, URI, request body, query string, etc.
- Action: Allow, block, or log the matched traffic.
WAF and Application Gateway v1 vs v2
Azure WAF is available for both Application Gateway v1 and v2 SKUs, but v2 offers enhanced features and performance. It's recommended to use Application Gateway v2 for new deployments.