This chapter covers Azure Web Application Firewall (WAF), a critical cloud-native service that protects web applications from common exploits and vulnerabilities. For the AZ-500 exam, WAF is a key topic within Network Security objective 3.2 (Secure an Azure environment for web workloads). Approximately 5-10% of exam questions touch on WAF, often in scenarios involving Azure Front Door, Application Gateway, or CDN. Understanding WAF policies, rule sets, and troubleshooting is essential for securing web applications in Azure.
Jump to a section
Think of a Web Application Firewall (WAF) as a highly trained bouncer at an exclusive nightclub. The club (your web application) has a main entrance (HTTP/HTTPS traffic). The bouncer doesn't just check IDs; he scrutinizes every guest's behavior. He has a detailed guest list (allowlist/blocklist) that specifies who is explicitly allowed or denied entry based on their name (IP address), country (geolocation), or known affiliations (threat intelligence). More importantly, he has a rulebook (OWASP Core Rule Set) that describes suspicious behaviors: trying to sneak in with a fake ID (SQL injection), attempting to pickpocket (cross-site scripting), or using a crowbar to force a locked side door (remote file inclusion). The bouncer doesn't just block these actions; he can also alert security (log and monitor) or even warn the guest (return a custom error page). He also throttles guests who try to rush the door (rate limiting) and can temporarily ban anyone who repeatedly violates the rules (IP reputation scoring). Just as a bouncer's effectiveness depends on an up-to-date guest list and rulebook, a WAF relies on continuously updated rule sets and threat intelligence feeds to protect against evolving web attacks. Without the bouncer, the club is vulnerable to anyone with malicious intent.
What is Azure Web Application Firewall (WAF)?
Azure Web Application Firewall (WAF) is a cloud-native, managed service that provides centralized protection for web applications from common exploits such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. It is integrated with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) from Microsoft. WAF uses a rules engine that inspects HTTP/HTTPS traffic and applies a set of rules to detect and block malicious requests. The rules are based on the OWASP Core Rule Set (CRS) and are continuously updated by Microsoft to address new vulnerabilities.
How WAF Works Internally
When an HTTP request arrives at the WAF-enabled endpoint (Application Gateway, Front Door, or CDN), the WAF engine performs the following steps:
Request Parsing: The request is parsed into its components: URI, headers, body (for POST/PUT), cookies, query parameters, and HTTP method.
Rule Evaluation: The parsed components are evaluated against the configured rule sets. Rules are evaluated in order of priority (lowest number = highest priority). Each rule has an action: Allow, Block, Log, or Anomaly Score (for custom rules). For managed rule sets, the action is defined per rule group.
Anomaly Scoring (for managed rules): Managed rules use an anomaly scoring system. Each rule that matches increments a score. If the total score exceeds a threshold (default 5), the request is blocked. This allows for partial matches without immediate blocking.
Rate Limiting (optional): If rate limiting is configured, the request's source IP or other attributes are checked against a rate limit counter. If the limit is exceeded, the request is blocked or logged.
Response Action: Based on the final action, the request is allowed through to the backend, blocked with a 403 Forbidden response, logged, or a custom response is returned.
Key Components and Defaults
WAF Policy: A WAF policy is a container for all WAF settings, including managed rules, custom rules, exclusions, and other configurations. It can be associated with multiple listeners or endpoints.
Rule Sets: WAF includes two types of rule sets: managed (Microsoft-managed) and custom (user-defined). Managed rule sets are based on OWASP CRS and are updated automatically. The default managed rule set is Microsoft_DefaultRuleSet (version 2.1 or later). For Application Gateway, there is also OWASP_3.2 and OWASP_3.1 (deprecated).
Rule Groups: Within a managed rule set, rules are organized into groups (e.g., SQLI, XSS, LFI). Each group can be enabled or disabled individually.
Default Action: For managed rules, the default action is Block. For custom rules, the default action is Allow if not specified.
Anomaly Score Threshold: Default is 5. When the total anomaly score from managed rules reaches or exceeds this threshold, the request is blocked.
Rate Limit: Default rate limit is 100 requests per 5 minutes per client IP. Can be customized.
Exclusions: Allows you to exclude certain request attributes (headers, cookies, query string args, POST args) from WAF inspection. Common for large file uploads or encoded parameters.
Logging: WAF logs can be sent to Azure Monitor, Log Analytics, or storage. Logs include request details, rule matches, and actions taken.
Configuration and Verification
WAF can be configured via Azure Portal, PowerShell, CLI, or ARM templates. Below are examples for Azure Application Gateway.
Create a WAF Policy via Azure CLI:
az network application-gateway waf-policy create \
--name myWAFPolicy \
--resource-group myRG \
--location eastus \
--type OWASP \
--version 3.2Associate WAF Policy with Application Gateway:
az network application-gateway waf-policy update \
--name myWAFPolicy \
--resource-group myRG \
--set properties.managedRules.managedRuleSets[0].ruleSetType=OWASP \
--set properties.managedRules.managedRuleSets[0].ruleSetVersion=3.2Enable WAF on an Application Gateway listener:
az network application-gateway http-listener update \
--gateway-name myAppGateway \
--name myListener \
--resource-group myRG \
--set firewallPolicy.id=/subscriptions/.../wafPolicies/myWAFPolicyVerify WAF status:
az network application-gateway waf-policy list --resource-group myRG --output tableCheck WAF logs:
az monitor log-analytics query \
--workspace myWorkspace \
--query "AzureDiagnostics | where ResourceType == 'APPLICATIONGATEWAYS' | where OperationName == 'ApplicationGatewayFirewall' | limit 10"Interaction with Related Technologies
Azure Application Gateway: WAF is integrated as a SKU option (WAF_v1 or WAF_v2). The WAF policy is attached to the gateway's listener or path-based routing rule.
Azure Front Door: WAF policies can be associated with Front Door endpoints. Front Door also supports custom rules, managed rules, and rate limiting. The WAF runs at the edge, closer to users.
Azure CDN: Only Standard Azure CDN from Microsoft supports WAF. It uses the same WAF engine as Front Door.
Azure DDoS Protection: WAF works alongside DDoS Protection. WAF protects at Layer 7, while DDoS Protection protects at Layer 3/4.
Azure Policy: You can enforce WAF deployment through Azure Policy, ensuring all Application Gateways and Front Doors have WAF enabled.
Performance Considerations
WAF inspection adds latency. For Application Gateway, expect ~1-2 ms additional latency per request. For Front Door, latencies are similar. High request rates (e.g., >10,000 req/s) may require scaling the WAF instance (e.g., using WAF_v2 with autoscaling). Rate limiting can also affect performance if thresholds are too low.
Troubleshooting Common Issues
False Positives: Legitimate requests being blocked. Check WAF logs for rule matches. Add exclusions for specific parameters or disable overly aggressive rules.
False Negatives: Malicious requests not blocked. Ensure managed rule set is up-to-date. Consider adding custom rules for known attack patterns.
High Latency: Check backend response times; WAF adds minimal latency. If high, consider upgrading to WAF_v2 or using Front Door for edge caching.
Rate Limiting Blocking Users: Adjust rate limit thresholds or use IP group exclusions for trusted sources.
Create a WAF Policy
First, define a WAF policy resource. In the Azure Portal, navigate to 'Web Application Firewall policies (WAF)' and click 'Create'. Provide a name, subscription, resource group, and region. Choose the policy type: 'Application Gateway', 'Front Door', or 'CDN'. For Application Gateway, select OWASP rule set version (e.g., 3.2). The policy is a separate resource that can be associated with multiple gateways or endpoints. At this stage, you can also configure managed rules, custom rules, exclusions, and rate limits. The policy is stored as a JSON document in Azure Resource Manager.
Configure Managed Rules
Within the WAF policy, enable the Microsoft-managed rule sets. By default, all rule groups are enabled with action 'Block'. You can disable specific rule groups (e.g., 'SQLI' or 'XSS') if they cause false positives. For each rule group, you can change the action to 'Log' instead of 'Block' for testing. The anomaly scoring threshold (default 5) determines when a request is blocked. For example, if a request matches two rules with scores 3 and 4, the total score is 7, which exceeds 5, so it is blocked. You can adjust the threshold to reduce false positives (e.g., set to 10).
Add Custom Rules
Custom rules allow you to define your own logic using conditions based on request attributes (source IP, geo-location, URI, headers, cookies, body, etc.). Conditions can be combined using AND/OR logic. For example, a custom rule can block requests from a specific IP range and with a specific User-Agent header. Each custom rule has a priority (1-100, lower number = higher priority). Actions include Allow, Block, Log, or AnomalyScore (for managed rules). Custom rules are evaluated before managed rules. You can also create rate limiting rules that block or log requests exceeding a threshold (e.g., 100 requests per 5 minutes).
Configure Exclusions
Exclusions tell WAF to skip inspection of specific request attributes (headers, cookies, query string args, POST args). This is essential for parameters that contain large data (e.g., file uploads) or encoded values that trigger false positives. For example, if your application uses a 'password' field that contains special characters, you can exclude the 'password' POST argument. Exclusions can be applied globally or per rule set. Use the portal to add exclusion entries: select the match variable (e.g., 'Request Arg Names'), operator ('Equals' or 'Contains'), and selector (the exact name or pattern).
Associate WAF with Endpoint
The WAF policy must be linked to an Application Gateway listener or Front Door frontend. For Application Gateway, go to the gateway's 'Web application firewall' blade, select 'WAF policy', and choose the policy. For Front Door, in the Front Door profile, under 'Security policies', create a new security policy and associate the WAF policy with a frontend endpoint or a path pattern. Once associated, the WAF engine starts inspecting all incoming traffic to that endpoint. You can verify association by checking the gateway's or Front Door's 'Overview' blade; it will show the WAF status as 'Enabled'.
Test and Monitor
After deployment, test the WAF by sending legitimate and malicious requests. Use tools like curl or OWASP ZAP to simulate SQL injection or XSS. Monitor WAF logs in Azure Monitor or Log Analytics. In the logs, look for 'ApplicationGatewayFirewall' or 'FrontdoorWebApplicationFirewall' events. Check for blocked requests and false positives. Adjust rules, exclusions, or thresholds as needed. Also monitor metrics like 'Blocked Requests' and 'Matched Rules' in the WAF policy's 'Metrics' blade. Set up alerts for high block rates or anomaly score spikes.
Scenario 1: E-commerce Platform Protection
A large e-commerce company hosts its web application on Azure Application Gateway with WAF enabled. The application handles sensitive customer data (credit cards, personal info). The security team configures WAF with OWASP 3.2 rule set and custom rules to block requests from known malicious IP addresses (using IP reputation feeds). They set up rate limiting to prevent brute-force login attempts (10 requests per minute per IP on the login endpoint). They also add exclusions for the 'creditcard' POST parameter to avoid false positives from legitimate card numbers that might match SQL injection patterns. In production, they observe ~500 requests per second and the WAF adds ~2 ms latency. They use Azure Monitor to set up alerts for any spike in blocked requests. A misconfiguration occurred when they excluded too many parameters, allowing a SQL injection attack to pass through. They fixed it by narrowing exclusions to only specific fields.
Scenario 2: Multi-Region Web Application with Front Door
A global SaaS company uses Azure Front Door with WAF to protect its web app deployed in multiple regions. They configure managed rules with anomaly scoring threshold of 10 to reduce false positives. They also create a custom rule to block requests from countries where they do not have customers (geo-blocking). For rate limiting, they set 200 requests per 5 minutes per client IP. They use Front Door's WAF logs to identify and block DDoS attacks at Layer 7. During a global promotion, traffic spikes to 10,000 req/s, and the WAF successfully handles it without dropping legitimate traffic. However, they noticed that some legitimate users from blocked countries were being denied; they added an exception for their corporate VPN IP range.
Scenario 3: API Protection with Custom Rules
A fintech company exposes REST APIs behind Azure Application Gateway with WAF. They need to protect against API-specific attacks like parameter pollution and JSON injection. They disable some OWASP rules that cause false positives for JSON payloads (e.g., rules that check for script tags). They create custom rules to validate specific API endpoints: for example, block any request to /api/transfer that has a negative amount. They also set up rate limiting per API key (using a custom header). They use WAF logs to audit all API calls. A common mistake is forgetting to enable logging, which makes troubleshooting difficult. They also learned to test new rules in 'Log' mode before enabling 'Block' to avoid breaking the API.
What AZ-500 Tests on WAF
AZ-500 exam objective 3.2 (Secure an Azure environment for web workloads) specifically tests your ability to:
Implement and configure WAF policies for Application Gateway, Front Door, and CDN.
Choose between WAF SKUs and tiers.
Configure managed rule sets (OWASP versions) and custom rules.
Understand anomaly scoring and thresholds.
Implement rate limiting and IP restrictions.
Troubleshoot false positives using exclusions.
Integrate WAF with Azure DDoS Protection and Azure Policy.
Common Wrong Answers and Traps
Choosing the wrong WAF tier: Candidates often select 'Basic' or 'Standard' Application Gateway SKU for WAF. The correct SKU is 'WAF_v1' or 'WAF_v2'. 'Basic' and 'Standard' do not include WAF functionality.
Confusing anomaly scoring with custom rules: Some think anomaly scoring applies to custom rules. It only applies to managed rules. Custom rules have explicit actions (Allow/Block/Log).
Assuming WAF can block all attacks: WAF is not a silver bullet; it protects against known patterns. Custom rules are needed for application-specific threats.
Misunderstanding exclusion scope: Exclusions apply to the entire request attribute, not just a part. For example, excluding a header excludes all values of that header.
Rate limiting granularity: Rate limiting is per client IP by default. Custom rate limiting can be based on other attributes (e.g., session cookie) but requires custom rules.
Specific Numbers and Terms
OWASP CRS versions: 3.2 (current), 3.1 (deprecated), 2.2.9 (legacy).
Anomaly score threshold: default 5, range 0-20.
Rate limit: default 100 requests per 5 minutes per IP.
WAF SKUs: WAF_v1 (manual scaling), WAF_v2 (autoscaling).
Policy association: Only one WAF policy per listener/frontend.
Managed rules update: Microsoft updates automatically; you cannot disable individual rules, only rule groups.
Edge Cases
WAF in Front Door vs Application Gateway: Front Door WAF runs at the edge, while Application Gateway WAF runs in-region. Front Door supports geo-filtering and bot protection (managed rule set) natively.
WAF on CDN: Only Standard Azure CDN from Microsoft supports WAF; Premium Verizon does not.
WAF and TLS termination: WAF inspects decrypted traffic. Ensure TLS termination is at the WAF endpoint (Application Gateway or Front Door).
WAF policy inheritance: A WAF policy can be associated with multiple listeners but each listener can only have one policy.
Eliminate Wrong Answers
If a question asks about blocking SQL injection, look for 'OWASP rule set' or 'managed rules'. Custom rules can also block SQLi but are less efficient.
If the scenario involves high traffic and low latency, choose WAF_v2 (autoscaling) over WAF_v1 (manual scaling).
For false positives, the answer is often 'add exclusions' or 'adjust anomaly score threshold'.
For geo-blocking, the answer is 'custom rule with geo-match condition'.
If the question mentions 'rate limiting', ensure the answer includes 'rate limit rule' or 'rate limit threshold'.
WAF is a Layer 7 firewall that protects web applications from common exploits like SQL injection and XSS.
WAF is available with Azure Application Gateway (WAF_v1 or WAF_v2 SKU), Azure Front Door, and Azure CDN (Standard Microsoft only).
Managed rule sets are based on OWASP CRS 3.2 and are automatically updated by Microsoft.
Anomaly scoring (default threshold 5) is used for managed rules; custom rules use explicit Allow/Block/Log actions.
Rate limiting default is 100 requests per 5 minutes per client IP; can be customized.
Exclusions are used to reduce false positives by skipping inspection of specific request attributes.
WAF logs must be enabled via diagnostic settings; they are not on by default.
Custom rules are evaluated before managed rules and can be based on IP, geo, headers, body, etc.
WAF policies are service-specific: Application Gateway WAF policies cannot be used with Front Door.
WAF does not replace Azure DDoS Protection; both should be used together for comprehensive protection.
These come up on the exam all the time. Here's how to tell them apart.
Azure Application Gateway WAF
Regional service, deployed in a specific Azure region.
Supports OWASP CRS 3.2 and 3.1.
Anomaly scoring threshold configurable per policy.
Rate limiting based on client IP only.
Can be associated with a single Application Gateway.
Azure Front Door WAF
Global service, runs at edge locations worldwide.
Supports OWASP CRS 3.2 and also includes Microsoft_BotManagerRuleSet for bot protection.
Same anomaly scoring but also supports custom rules with rate limiting based on any attribute.
Rate limiting can be based on HTTP parameters, headers, etc.
Can be associated with multiple Front Door endpoints.
Mistake
WAF can protect against all Layer 7 attacks including DDoS attacks.
Correct
WAF protects against application-layer attacks (SQLi, XSS) but is not a complete DDoS solution. Azure DDoS Protection should be used for volumetric DDoS attacks at Layers 3/4. WAF can help with slow-rate DDoS via rate limiting.
Mistake
WAF policies can be shared across Application Gateway and Front Door.
Correct
WAF policies are specific to the service type. A policy created for Application Gateway cannot be used for Front Door, and vice versa. Each service has its own policy resource type.
Mistake
Disabling a rule group in managed rules stops all rule checks.
Correct
Disabling a rule group only stops the rules within that group. Other rule groups continue to be evaluated. You cannot disable individual rules; only rule groups can be enabled/disabled.
Mistake
Custom rules are evaluated after managed rules.
Correct
Custom rules are evaluated before managed rules, based on priority order. This allows custom rules to allow or block traffic before managed rules are applied.
Mistake
WAF logs are enabled by default.
Correct
WAF logging is not enabled by default. You must configure diagnostic settings to send logs to Log Analytics, Storage, or Event Hubs. Without logging, you cannot see blocked requests or troubleshoot.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
To enable WAF on an existing Application Gateway, you must first ensure the gateway uses a WAF SKU (WAF_v1 or WAF_v2). If it is Standard SKU, you cannot enable WAF; you need to create a new gateway with WAF SKU or upgrade the SKU (which is not supported; you must redeploy). Once the SKU is correct, create a WAF policy (or use default) and associate it with the listener. In the portal, go to the gateway's 'Web application firewall' blade, select 'WAF policy', and choose an existing policy or create a new one. The change takes effect within a few minutes.
WAF_v1 is the older version that requires manual scaling and has a fixed capacity (units). WAF_v2 is the newer version that supports autoscaling, zone redundancy, and higher performance. WAF_v2 also supports features like URL rewrite and health probes enhancements. For new deployments, always use WAF_v2. The exam may ask you to choose between them based on scalability needs.
Yes, you can use custom rules with a geo-match condition. In a custom rule, set the condition to 'Geo Location' and specify the country codes (e.g., 'RU', 'CN'). You can then set the action to 'Block'. This is supported on both Application Gateway and Front Door WAF. Note that geo-location is based on the client IP address and may not be accurate for VPN or proxy users.
First, analyze WAF logs to identify which rule matched. You can then add an exclusion for the specific request attribute that triggered the false positive (e.g., exclude a query parameter or header). Alternatively, you can disable the entire rule group if the false positive is widespread. You can also increase the anomaly score threshold to reduce sensitivity. Always test changes in 'Log' mode before switching to 'Block'.
Yes, WAF inspects decrypted HTTPS traffic. To enable this, the WAF endpoint (Application Gateway or Front Door) must terminate TLS. The request is decrypted at the endpoint, inspected by WAF, and then re-encrypted if forwarded to the backend. You need to upload a TLS certificate to the endpoint. WAF does not support end-to-end encryption inspection (i.e., it cannot inspect traffic that is encrypted all the way to the backend).
Azure WAF pricing depends on the service. For Application Gateway WAF_v2, you pay per hour for the gateway plus data processing costs. For Front Door WAF, you pay per policy rule and per request. There is also a separate charge for managed rule sets. The exam may test that WAF is an additional cost on top of the base service. Always check the Azure pricing calculator for current rates.
Azure API Management does not have native WAF integration. However, you can place an Application Gateway with WAF in front of API Management to protect the APIs. Alternatively, you can use Azure Front Door with WAF in front of API Management. This is a common architecture for securing APIs. The exam may present a scenario where you need to secure APIs, and the correct answer is to use WAF in front of API Management.
You've just covered Web Application Firewall (WAF) — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?