Azure Application Gateway WAF
The Web Application Firewall (WAF) for Azure Application Gateway protects your web applications from common web exploits and vulnerabilities. It's a cloud-native WAF that helps defend against threats like SQL injection, cross-site scripting, and other malicious attacks.
On this page:
What is WAF?
A Web Application Firewall (WAF) is a security service that sits in front of web applications. It inspects inbound HTTP/S traffic to and from your web applications. Its primary purpose is to filter, monitor, and block malicious HTTP/S requests.
Azure Application Gateway WAF provides protection for your web applications by:
- Detecting and blocking known exploits and vulnerabilities.
- Preventing common web attack vectors such as SQL injection, cross-site scripting (XSS), file inclusion, and more.
- Providing a centralized security layer for multiple web applications.
- Reducing the burden of manual security patching for application teams.
WAF Modes
Azure Application Gateway WAF offers two distinct modes to suit your security needs:
Detection Mode
In Detection Mode, the WAF inspects all traffic for malicious requests but does not block them. Instead, it logs any requests that trigger WAF rules. This mode is ideal for initial deployment, testing, and monitoring to understand potential threats without impacting application availability.
Prevention Mode
In Prevention Mode, the WAF inspects traffic and actively blocks any requests that are identified as malicious.
This provides robust protection against attacks. When a malicious request is detected, the WAF returns a 403 Forbidden error to the client.
Choosing the Right Mode
It's recommended to start with Detection Mode to analyze traffic patterns and tune WAF rules. Once you are confident that the rules do not cause false positives for legitimate traffic, you can switch to Prevention Mode for full protection.
Managed Rule Sets
Azure Application Gateway WAF supports managed rule sets that are maintained by Microsoft and the Core Rule Set (CRS) community. These rule sets are updated regularly to protect against the latest threats.
- OWASP Core Rule Set (CRS): A collection of generic attack detection rules provided by the Open Web Application Security Project (OWASP).
- Microsoft Managed Rules: Rules developed by Microsoft to protect against threats specific to Azure and common vulnerabilities.
You can enable specific rule groups within these sets to tailor your WAF's protection.
Custom Rules
In addition to managed rules, Application Gateway WAF allows you to create custom rules to enforce specific security policies. This is useful for:
- Blocking specific IP addresses or ranges.
- Allowing traffic only from trusted sources.
- Enforcing rules based on request headers, query strings, or request body parameters.
- Implementing rate limiting to prevent denial-of-service attacks.
Custom rules can be configured with Allow or Deny actions.
Monitoring and Logging
Effective monitoring and logging are crucial for managing your WAF. Application Gateway WAF integrates with Azure Monitor and Azure Log Analytics to provide insights into security events.
Key logs and metrics include:
- WAF Logs: Detailed information about WAF rule matches, detected threats, and blocked requests.
- Application Gateway Logs: Standard access and performance logs for the Application Gateway itself.
- Azure Monitor Metrics: Visualizations of WAF activity, such as the number of blocked requests or rule hits.
These logs can be sent to Log Analytics workspaces for advanced querying, analysis, and visualization.
Best Practices
To maximize the effectiveness of your Azure Application Gateway WAF:
- Start in Detection Mode: Analyze WAF logs before enabling Prevention Mode to avoid blocking legitimate traffic.
- Regularly Update Rules: Ensure your WAF uses the latest managed rule sets to stay protected against emerging threats.
- Use Custom Rules Strategically: Implement custom rules for specific application requirements or to block known malicious sources.
- Configure Comprehensive Logging: Send WAF logs to Azure Log Analytics for detailed analysis and incident response.
- Monitor WAF Metrics: Keep an eye on WAF metrics in Azure Monitor to detect suspicious activity patterns.
- Understand False Positives/Negatives: Be prepared to tune rules and investigate any instances of legitimate traffic being blocked (false positive) or malicious traffic bypassing the WAF (false negative).