Azure Application Gateway Web Application Firewall (WAF)

The Azure Web Application Firewall (WAF) on Application Gateway provides centralized protection to your web applications from common exploits and vulnerabilities such as SQL injection, cross-site scripting, and other web attacks. It is a managed service that shields your web applications from attacks by inspecting incoming HTTP requests.

What is WAF?

WAF is a type of firewall that filters, monitors, and blocks HTTP traffic to and from a web application. It helps protect your applications by understanding traffic between web applications and the internet. WAF can detect and block malicious HTTP requests, and prevent unauthorized data exfiltration. It can also help you achieve compliance with web application security requirements.

Key Features

Managed Rulesets: Application Gateway WAF supports both the OWASP Core Rule Set (CRS) and a custom ruleset for fine-grained control.
Custom Rules: You can define custom rules to block or allow traffic based on IP addresses, request headers, request body, and query strings.
Geo-filtering: Restrict access to your applications based on the geographic origin of the requests.
Rate Limiting: Protect your applications from denial-of-service (DoS) attacks by limiting the number of requests from a single IP address.
Bot Protection: Identify and mitigate malicious bot traffic.
Managed Identities: Securely authenticate to other Azure services without managing credentials.
Logging and Monitoring: Comprehensive logging of WAF events and integration with Azure Monitor for detailed insights.

WAF Modes

Application Gateway WAF supports two main modes:

Detection Mode

In detection mode, WAF logs malicious requests but does not block them. This mode is useful for understanding the types of attacks your applications are facing without impacting legitimate traffic. You can review the WAF logs to fine-tune your WAF policies.

Prevention Mode

In prevention mode, WAF actively blocks traffic that matches its rules. When a malicious request is detected, WAF returns a 403 Forbidden response to the client.

Conceptual diagram of Application Gateway WAF.

Configuring WAF

Configuring WAF involves creating or updating an Application Gateway resource with a WAF policy. Here are the general steps:

Create a WAF Policy: Define your WAF rules, managed rule sets, and custom rules.
Associate WAF Policy with Application Gateway: Link the WAF policy to your Application Gateway's listener.
Configure Diagnostic Settings: Enable logging for WAF events to Azure Monitor or Azure Storage for analysis.

Example of a Custom Rule (Conceptual)


{
  "if": {
    "operator": "Contains",
    "matchVariable": "RequestUri",
    "selector": null,
    "values": ["/admin/login"]
  },
  "then": {
    "effect": "Block"
  }
}

Benefits of Using WAF

Enhanced Security: Protects against a wide range of web threats.
Compliance: Helps meet regulatory compliance requirements for web security.
Reduced Attack Surface: Acts as a shield for your backend applications.
Simplified Management: A managed service that reduces operational overhead.

Important: Regularly review and update your WAF rules and managed rulesets to ensure protection against the latest threats.

Learn More

This page provides a high-level overview of Azure Application Gateway WAF. For detailed configuration and advanced features, please refer to the official Azure documentation.