This chapter covers how to design and configure Azure Front Door Web Application Firewall (WAF) policies to protect web applications from common exploits and vulnerabilities. For the AZ-305 exam, understanding WAF integration with Azure Front Door is critical as it appears in approximately 10-15% of questions related to security and network design. You will learn the internal mechanisms, rule evaluation, policy configuration, and how to troubleshoot common issues.
Jump to a section
Azure Front Door WAF is like an airport security checkpoint that operates at every entrance gate before passengers enter the terminal. Each gate has a team of inspectors (WAF rules) that check every passenger's ID and luggage against a global threat database. When a passenger (HTTP request) arrives, the inspector at the nearest gate examines the request's source IP, headers, and body for known attack patterns like SQL injection or cross-site scripting. If the request is clean, it is stamped with a pass and allowed to proceed to the correct boarding gate (origin server). If it matches a malicious pattern, it is immediately denied and logged. The inspectors share intelligence across all gates (global policy), so if one gate sees a new attack, all gates learn about it within seconds. This distributed screening ensures that no malicious passenger ever reaches the terminal, and legitimate traffic flows efficiently through the nearest gate to reduce latency.
What is Azure Front Door WAF and Why It Exists
Azure Front Door Web Application Firewall (WAF) is a cloud-native service that provides centralized protection for web applications from common attacks like SQL injection, cross-site scripting (XSS), and HTTP protocol violations. It integrates seamlessly with Azure Front Door, acting as a reverse proxy that inspects incoming HTTP/HTTPS requests before they reach the origin server. The WAF operates at the edge of Microsoft's global network, close to the client, which reduces latency for legitimate traffic and blocks attacks before they enter the Azure backbone.
The primary reason for using Azure Front Door WAF is to offload security management from the application layer. Instead of implementing custom security logic in each web application, you define a unified set of rules that applies to all traffic passing through Front Door. This simplifies compliance, reduces application complexity, and ensures consistent protection across multiple origins.
How It Works Internally
Azure Front Door WAF uses a rule engine that evaluates each incoming request against a set of managed or custom rules. The evaluation happens in the following order:
Inbound Request Arrives: An HTTP/HTTPS request hits the nearest Front Door point of presence (PoP) based on the client's geographic location. The request is terminated at the edge, meaning TLS decryption occurs here.
WAF Policy Attachment: The Front Door instance checks if a WAF policy is associated with the frontend host or routing rule. If a policy exists, the request is passed to the WAF engine.
Rule Evaluation Order: The WAF engine evaluates rules in a specific order: first, managed rule sets (like OWASP Core Rule Set) are evaluated, followed by custom rules. Within each rule set, rules are evaluated in priority order (lower number = higher priority). The evaluation is short-circuit: if a rule matches and its action is 'Block' or 'Redirect', the request is terminated immediately without evaluating further rules.
4. Rule Actions: Each rule can have one of three actions: - Allow: The request is allowed to pass through to the origin. - Block: The request is rejected with a 403 Forbidden response. - Log: The request is logged but still allowed (useful for testing). - Redirect: The request is redirected to a specified URL (custom rules only).
Request Matching: Rules match based on conditions like:
- Source IP address or range - Request URI, query string, headers, body - Request method (GET, POST, etc.) - Size of request parts - Geo-location (country code) - Rate limiting thresholds
Response from WAF: If the request passes all rules, it is forwarded to the origin server with the original client IP preserved in the X-Forwarded-For header. If blocked, the client receives a 403 response.
Key Components, Values, Defaults, and Timers
WAF Policy: A container for rule sets and settings. Each policy can be associated with multiple Front Door frontends or routing rules.
Managed Rule Sets: Pre-configured rule sets provided by Microsoft, such as:
- Microsoft_DefaultRuleSet_2.1 (latest version as of 2024) - OWASP_3.2 (CRS 3.2) - Bot Manager rule set (to detect and block malicious bots) - Custom Rules: User-defined rules with specific match conditions and actions. You can create up to 100 custom rules per policy. - Rate Limiting: A custom rule type that limits requests from a single client IP over a duration (e.g., 100 requests per 5 minutes). The default rate limit duration is 1 minute, but you can configure it from 1 to 60 minutes. - Default Action: If no rule matches, the default action is 'Allow'. You can change it to 'Block' to deny all traffic except what matches an 'Allow' rule. - TLS Inspection: Front Door terminates TLS at the edge, so the WAF sees the decrypted HTTP request. This allows inspection of the full request body. - Request Body Size Limit: The WAF inspects the first 128 KB of the request body by default. You can increase this to 2 MB using the 'RequestBodyCheck' setting. - Logging: WAF logs are sent to Azure Monitor, Log Analytics workspaces, or storage accounts. You can also stream logs to Event Hubs.
Configuration and Verification Commands
To create a WAF policy via Azure CLI:
az network front-door waf-policy create \
--resource-group myResourceGroup \
--name myWAFPolicy \
--sku Premium_AzureFrontDoor \
--mode PreventionTo associate the policy with a Front Door frontend:
az network front-door update \
--resource-group myResourceGroup \
--name myFrontDoor \
--frontend-endpoints myFrontendEndpoint \
--set wafPolicy.id=/subscriptions/.../providers/Microsoft.Network/frontDoorWebApplicationFirewallPolicies/myWAFPolicyTo verify the policy is applied:
az network front-door show --resource-group myResourceGroup --name myFrontDoor --query "frontendEndpoints[?name=='myFrontendEndpoint'].wafPolicy"To check WAF logs in Log Analytics:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| project TimeGenerated, clientIp_s, ruleName_s, action_sHow It Interacts with Related Technologies
Azure Front Door Standard vs Premium: WAF is available in both tiers, but Premium offers additional managed rule sets like Bot Manager and higher rate limiting limits.
Azure CDN: Azure Front Door WAF is separate from Azure CDN's WAF. Front Door WAF is more feature-rich and integrates with Front Door's global load balancing.
Azure Application Gateway: Application Gateway also has a WAF, but it is regional (not global). Front Door WAF is globally distributed, protecting against attacks at the edge.
Azure DDoS Protection: WAF complements DDoS Protection. DDoS mitigates volumetric attacks, while WAF handles application-layer attacks.
Private Link: With Front Door Premium, you can use Private Link to connect to origin servers privately, ensuring traffic never traverses the public internet.
Client Sends HTTP Request
A client (e.g., browser) sends an HTTP/HTTPS request to the application's domain. DNS resolves to the nearest Azure Front Door point of presence (PoP) based on latency. The request is terminated at the edge, meaning TLS handshake occurs and the request is decrypted. The WAF engine receives the plaintext HTTP request, including method, URI, headers, and body.
WAF Policy Retrieval
Front Door checks the routing rule associated with the incoming request to determine if a WAF policy is attached. If a policy is linked, it retrieves the policy configuration from the global policy store. The policy includes managed rule sets, custom rules, and settings like mode (Detection or Prevention) and default action.
Rule Evaluation Begins
The WAF engine starts evaluating rules in order of priority. First, it processes managed rule sets (e.g., Microsoft_DefaultRuleSet_2.1). Each rule set has a default priority, but you can adjust the priority of individual rules. The engine checks each rule's match conditions against the request. Conditions are evaluated using operators like 'Equals', 'Contains', 'Regex', 'IPMatch', etc.
Rule Match and Action
If a rule matches, the engine performs the configured action: Allow, Block, Log, or Redirect. For Block, the engine immediately sends a 403 Forbidden response and logs the event. For Allow, the request continues to the next rule. Log action allows the request but logs it. The evaluation is short-circuited on Block: no further rules are evaluated.
Request Forwarded to Origin
If no Block action is triggered, the request is forwarded to the origin server specified in the routing rule. The original client IP is preserved in the X-Forwarded-For header. Front Door may also add other headers like X-Forwarded-Proto. The origin server processes the request and sends a response back through Front Door to the client.
Enterprise Scenario 1: Global E-commerce Platform
A large e-commerce company uses Azure Front Door WAF to protect its website from SQL injection and XSS attacks. They have multiple origin servers across regions (US, Europe, Asia) behind Front Door. They enable the OWASP 3.2 managed rule set in Prevention mode. Additionally, they create custom rules to block requests from known malicious IPs (using a threat intelligence feed) and to enforce geo-blocking for countries where they don't operate. They set up rate limiting to prevent brute-force login attempts: 100 requests per 5 minutes per IP on the /login endpoint. In production, they monitor WAF logs in Azure Sentinel and have automated playbooks to update IP block lists. A common issue is false positives: legitimate requests that match managed rules. They tune the rules by setting specific rules to 'Log' mode temporarily and then adjusting conditions or excluding certain parameters.
Enterprise Scenario 2: Financial Services API Gateway
A bank exposes REST APIs through Azure Front Door for mobile banking apps. They use WAF with Bot Manager rule set to block scrapers and automated scripts. They also enforce TLS 1.2 minimum and require client certificates for authentication (Front Door supports mutual TLS). The WAF policy includes custom rules to validate that the request body contains expected JSON structure and to block requests with unusually large payloads (over 1 MB). They set the WAF mode to 'Detection' initially to test traffic patterns, then switch to 'Prevention' after two weeks of tuning. Performance is critical: they ensure the request body inspection size is set to 128 KB to avoid latency. A misconfiguration they encountered: forgetting to exclude health probe requests from rate limiting, causing Front Door health probes to be blocked and triggering origin unhealthy alerts.
Common Pitfalls and Performance Considerations
Over-blocking: Aggressive rules can block legitimate traffic. Always test in Detection mode first.
Under-blocking: Using outdated managed rule sets (e.g., OWASP 3.0 instead of 3.2) leaves vulnerabilities unpatched.
Latency: Enabling request body inspection for large payloads can increase latency. Keep the body size limit as low as possible.
Cost: WAF policies themselves are free, but data processing and log ingestion incur costs. Monitor log volume.
Rule Priority Conflict: If custom rules have higher priority than managed rules, they may bypass managed rule checks unintentionally.
What AZ-305 Tests on This Topic
AZ-305 objective 4.2 focuses on designing security for applications, including WAF integration. You need to know:
When to use Azure Front Door WAF vs Application Gateway WAF vs third-party WAF.
How to configure WAF policies with managed rule sets and custom rules.
The difference between Detection and Prevention modes.
How rate limiting works and its configurable parameters.
How to tune WAF to reduce false positives.
Integration with Azure DDoS Protection and Private Link.
Common Wrong Answers on Exam Questions
'WAF on Front Door can inspect encrypted traffic at the origin' – Wrong. TLS is terminated at Front Door, so WAF sees decrypted traffic. The origin receives decrypted traffic unless you re-encrypt.
'WAF policies can be applied per origin server' – Wrong. WAF policies are applied per frontend host or routing rule, not per origin. All traffic to a frontend shares the same policy.
'Rate limiting can be applied to individual users based on authentication' – Wrong. Rate limiting is based on client IP address, not user identity. To rate-limit by user, you need custom logic at the application.
'WAF in Detection mode blocks traffic' – Wrong. Detection mode only logs; Prevention mode blocks.
Specific Numbers and Terms to Memorize
Default request body size limit: 128 KB (max 2 MB)
Rate limit duration: 1-60 minutes (default 1 minute)
Maximum custom rules: 100 per policy
Managed rule sets: Microsoft_DefaultRuleSet_2.1, OWASP_3.2, Bot Manager
WAF modes: Detection, Prevention
Actions: Allow, Block, Log, Redirect (custom only)
Edge Cases the Exam Loves
Health probes: If you block health probes with a WAF rule, Front Door marks the origin as unhealthy. You must exclude the Front Door probe IPs.
Multiple WAF policies: A Front Door can have multiple frontends, each with a different WAF policy. The same origin can be accessed via different frontends with different WAF rules.
WAF and Private Link: When using Private Link, WAF still inspects traffic because it goes through Front Door first.
How to Eliminate Wrong Answers
If the question mentions 'regional' protection, think Application Gateway WAF. If 'global' or 'edge', think Front Door WAF.
If the question asks for 'user-based rate limiting', the answer is not WAF; it's application-level.
If the question involves 'TLS inspection at the edge', Front Door WAF is correct.
Azure Front Door WAF protects web applications at the global edge from common attacks like SQL injection, XSS, and HTTP floods.
WAF policies are associated with Front Door frontends or routing rules, not origins.
Managed rule sets include Microsoft_DefaultRuleSet_2.1 and OWASP_3.2; always use the latest version.
WAF modes: Detection (log only) and Prevention (block).
Rate limiting is based on client IP, with configurable threshold and duration (1-60 minutes).
Default request body size limit is 128 KB; can be increased to 2 MB.
Custom rules support actions: Allow, Block, Log, Redirect.
Health probes from Front Door must be allowed in WAF to avoid false unhealthy origin status.
WAF logs are sent to Azure Monitor, Log Analytics, Storage, or Event Hubs.
TLS is terminated at Front Door; WAF inspects decrypted traffic.
These come up on the exam all the time. Here's how to tell them apart.
Azure Front Door WAF
Global, edge-based protection across Azure PoPs.
Integrates with Front Door's global load balancing and acceleration.
Supports rate limiting and bot management (Premium).
Terminates TLS at the edge; cannot do end-to-end TLS without re-encryption.
Best for global web applications with multiple regions.
Azure Application Gateway WAF
Regional protection within a single Azure region.
Integrates with Application Gateway's layer 7 load balancing and URL routing.
Supports WAF policies with custom rules and managed rule sets.
Can do end-to-end TLS (SSL offload at gateway, then re-encrypt to backend).
Best for regional applications or when you need tight integration with VNet.
Mistake
Azure Front Door WAF can inspect encrypted traffic end-to-end without decryption.
Correct
WAF requires decrypted HTTP traffic to inspect the request body and headers. Front Door terminates TLS, so the WAF sees plaintext traffic. To maintain encryption to the origin, you must configure Front Door to re-encrypt traffic (using HTTPS backends).
Mistake
WAF policies are applied at the origin server level.
Correct
WAF policies are associated with Front Door frontend hosts or routing rules, not with origin servers. If multiple frontends point to the same origin, each can have a different WAF policy.
Mistake
Rate limiting in WAF can limit requests per user account.
Correct
Rate limiting is based on the client IP address, not user identity. To limit per user, you need to implement custom logic in the application (e.g., using session tokens).
Mistake
Setting WAF to Detection mode blocks malicious requests.
Correct
Detection mode only logs requests that match rules; it does not block them. To block, you must use Prevention mode.
Mistake
All managed rule sets are automatically updated by Microsoft.
Correct
Microsoft updates the default rule set (Microsoft_DefaultRuleSet) automatically, but OWASP rule sets are versioned and you must manually upgrade to a newer version.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Azure Front Door WAF is tightly integrated with Azure Front Door. It cannot be used standalone. For a standalone WAF, consider Azure Application Gateway WAF or a third-party WAF.
Start by setting the WAF mode to Detection to identify false positives. Then, exclude specific request attributes (like headers or cookies) from rules, or disable specific rules that cause false positives. You can also create custom rules with higher priority to allow legitimate traffic before managed rules are evaluated.
Yes, you can create custom rules that match on the country code derived from the client IP. For example, you can block all requests from countries outside your target market using the GeoMatch condition.
Azure Front Door WAF is more feature-rich, supporting managed rule sets, custom rules, rate limiting, and bot management. Azure CDN WAF is a simpler, legacy offering with limited rule sets. For new deployments, use Azure Front Door WAF.
Yes, Azure Front Door Premium supports Private Link origins. Traffic from Front Door to the origin goes through a private endpoint, but WAF inspection still occurs at the edge before the request is forwarded.
Enable WAF logs and send them to a Log Analytics workspace. Use Kusto queries to filter blocked requests. You can also set up alerts based on log entries. Example query: AzureDiagnostics | where Category == 'FrontdoorWebApplicationFirewallLog' and action_s == 'Block'.
The maximum is 100 custom rules per WAF policy. Managed rule sets count separately.
You've just covered Azure Front Door WAF Design — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?