Web Application Firewall

A Web Application Firewall (WAF) inspects and filters HTTP/HTTPS traffic before it reaches your backend applications, providing a dedicated layer of protection for web workloads. Properly configured, a WAF reduces exposure to common web attacks, centralizes enforcement, and simplifies security operations across distributed applications. Key benefits of using a WAF

Centralized protection
Apply consistent WAF policies in one place to protect multiple web applications and enforce a uniform security posture.
Simplified security management
Security teams can react to new threats once—by updating the WAF—without requiring coordination and code changes across many application teams.
Threat assurance
A WAF blocks common web attacks (SQL injection, cross-site scripting, malicious bots) before they reach your origins, lowering incident impact.

A diagram of a Web Application Firewall (WAF) deployment. It shows a centralized WAF at the edge protecting Azure regions, other clouds, and on-premises resources with global policies, access control, rate limiting and OWASP Top 10 protection.

Rapid response
Centralized policy updates enable mitigation of zero-day vulnerabilities and emerging threats often faster than application patches.
Coverage of the OWASP Top 10
Built-in rules map to common vulnerabilities (injection, broken auth, sensitive data exposure, etc.), providing an immediate baseline defense when enabled. See the OWASP Top 10 for more detail: https://owasp.org/www-project-top-ten/

Azure WAF deployment options Choose a deployment model based on where you need inspection (region vs global edge), how you want to scope policies, and your overall architecture.

WAF on Application Gateway
Deployed inside an Azure region and integrated with your virtual network. Ideal for workloads hosted in VNets, it supports multiple WAF policies per gateway so you can tailor protections per listener, site, or URL path. Learn more: https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-overview
WAF on Azure Front Door
Deployed at Microsoft’s global edge, Front Door inspects incoming Internet requests close to users and before requests travel to origins. A single WAF policy can be applied across multiple Front Door endpoints, enabling global centralized enforcement across regions and hybrid environments. Learn more: https://learn.microsoft.com/azure/web-application-firewall/afds/overview

Compare WAF deployment models

Capability	WAF on Application Gateway	WAF on Azure Front Door
Deployment location	Regional (within VNets)	Global edge (CDN-like)
Policy scoping	Multiple policies per gateway (per listener/site)	Single policy covering multiple endpoints
Best for	Regional, VNet-integrated backends, per-site customization	Global, multi-region apps, performance-sensitive global inspection
Control plane	Managed within region	Global management with edge delivery
Use cases	Internal or regional web apps behind VNets	Public-facing apps needing low-latency global protection

A slide titled "Web Application Firewall with Azure services" comparing WAF on Azure Application Gateway and WAF on Azure Front Door. The left column lists features like multiple policies per gateway, per-site customization, and attack monitoring; the right column highlights global, centralized protection and request inspection.

WAF policy modes

Detection (default)
The WAF evaluates incoming requests against its ruleset and logs suspicious activity without blocking traffic. This is the recommended starting mode so you can observe what would be blocked and fine-tune rules and exclusions.
Prevention
The WAF blocks requests that match configured rules or malicious signatures. After testing in detection mode, switch to prevention to actively enforce protections.

Example: If an attacker attempts SQL injection on a login form while the WAF is in prevention mode, the malicious request is blocked at the edge and never forwarded to your backend.

Screenshot of a Web Application Firewall policy settings page showing radio buttons for Mode (Prevention vs. Detection). The Prevention mode is highlighted with a brief description explaining that matching requests are blocked and logged.

Managed rule sets and customization

Managed rule sets
Azure provides managed rule sets maintained by Microsoft that implement common protections, including mappings to OWASP-style protections. These rules are updated to address newly discovered threats.
Custom rules and exclusions
Create custom rules (block or allow) for IPs, geolocation, HTTP methods, header or cookie values, and URL path patterns. Use exclusions to prevent false positives for known benign requests or API clients.
Rate limiting and bot protection
Configure rules to mitigate abusive or automated traffic (throttling, bot detection, CAPTCHA/challenge behaviors).
Request inspection scope
Configure inspection for headers, query strings, cookies, and request bodies (body inspection is optional—be mindful of performance and payload size).
Logging and diagnostics
Enable diagnostic logs to capture WAF alerts, blocked requests, and metrics. Integrate with Azure Monitor, Log Analytics, or your SIEM for tuning and forensics. See: https://learn.microsoft.com/azure/azure-monitor/overview and https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview
Policy scoping specifics
For Application Gateway: attach multiple policies per gateway to scope protections to different listeners/sites. For Front Door: one global policy can apply across multiple endpoints, simplifying global enforcement.

Common rule types and examples

Rule type	Purpose	Example
Signature-based	Block known attack patterns	SQLi or XSS signature match
IP restriction	Allow/deny traffic from IPs or ranges	Block malicious IP ranges
Geo-blocking	Block requests from specific countries	Deny requests from high-risk geographies
Rate-limiting	Throttle abusive request rates	Limit requests per minute per IP
Custom header rules	Enforce header-based access	Allow only specific API clients by header

Best practices for WAF deployment

Start in detection mode, analyze logs, and tune rules/exclusions before moving to prevention.
Use managed rules as a baseline, then add scoped custom rules for application-specific behavior.
Enable diagnostic logging and integrate WAF logs with your monitoring and SIEM pipelines.
Regularly review and update policies to respond to new threats and application changes.
Test changes in a staging environment or use a phased rollout to reduce the risk of blocking legitimate traffic.
Be cautious with full request body inspection—enable it only when necessary and size limits are appropriate.

Related resources and references

Azure Application Gateway WAF: https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-overview
Azure Front Door WAF: https://learn.microsoft.com/azure/web-application-firewall/afds/overview
OWASP Top 10: https://owasp.org/www-project-top-ten/
Azure Monitor & Log Analytics: https://learn.microsoft.com/azure/azure-monitor/overview

Always validate WAF changes in a test environment or using detection mode before enforcing them in production. This reduces the risk of blocking legitimate traffic.

Watch Video

Introduction

Web Application Firewall Custom Rules

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Web Application Firewall

Watch Video