What is Azure Web Application Firewall?
Azure Web Application Firewall (WAF) is cloud-native protection for web applications against common attacks and vulnerabilities. WAF is based on the OWASP Core Rule Set and protects against SQL Injection, Cross-Site Scripting (XSS), Local File Inclusion, and other web exploits. The service can be deployed in front of Azure Application Gateway, Azure Front Door, or Azure CDN.
WAF enables centralized security for all web applications without changes to application code and offers both Detection and Prevention modes.
Key Features
- OWASP Core Rule Set: Pre-configured protection against the OWASP Top 10 security risks
- Custom Rules: Custom rules based on IP addresses, geo-location, request rate, or request attributes
- Bot Protection: Detection and blocking of malicious bots with Microsoft Threat Intelligence
- Rate Limiting: Protection against application-layer DDoS through request limits
- Central Management: WAF Policy for multiple applications via Azure Firewall Manager
Typical Use Cases
Compliance Requirements: Meeting PCI-DSS, HIPAA, or other compliance standards that require WAF protection for web applications.
API Protection: Securing REST APIs and GraphQL endpoints against injection attacks and abuse.
Multi-Region Protection: Global protection for applications behind Azure Front Door with unified security policies.
Benefits
- No Code Changes: Protection implemented at infrastructure level
- Managed Rules: Microsoft continuously updates rules against new threats
- Real-time Monitoring: Integration with Azure Monitor and Log Analytics for security insights
- Flexible Deployment: Available on Application Gateway, Front Door, and CDN
Frequently Asked Questions about Azure Web Application Firewall
Where should I deploy WAF: Application Gateway or Front Door?
Application Gateway WAF is suitable for regional applications with VNet integration. Front Door WAF offers global edge protection with lower latency for distributed applications and better DDoS mitigation.
What is the difference between Detection and Prevention mode?
Detection Mode logs attacks without blocking them, ideal for initial rule tuning phase. Prevention Mode actively blocks requests identified as attacks.
How do I handle false positives?
You can create rule exclusions for specific request attributes, disable rules, or place custom rules with Allow actions before managed rules. Log Analytics helps identify false positives.
Does WAF protect against DDoS attacks?
WAF protects against application-layer (Layer 7) attacks like Slowloris or HTTP floods. For volumetric DDoS attacks (Layer 3/4), you additionally need Azure DDoS Protection.
What logs are available?
WAF generates Access Logs (all requests), Firewall Logs (blocked requests with rule details), and Performance Logs. All logs can be streamed to Log Analytics, Event Hubs, or Storage Accounts.
Integration with innFactory
As a Microsoft Solutions Partner, innFactory supports you with Azure Web Application Firewall: from initial configuration and rule tuning to CI/CD pipeline integration to ongoing monitoring and incident response.
