Implementing a WAF Policy for Application Gateway
Start course

Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.

In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.

Learning Objectives

  • Configuring detection or prevention mode
  • Implementing a WAF policy 
  • Associating a WAF policy
  • Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
  • Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined

Intended Audience

  • System administrators with responsibilities for managing web applications
  • Security professionals responsible for securing Azure web applications
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking and security principles
  • An Azure subscription (sign up for a free trial at if you don’t have a subscription)

Now that we understand the web Application Firewall with the Azure Application Gateway, let's move on to deploying and managing the solution. Before we implement and associate a web Application Firewall policy, we need to create an environment to apply the policy to. This section starts with an overview of the Application Gateway solution, then we'll move on to a demo on setting it up.

First, we'll create an Application Gateway, this will have a public front-end IP. Next, we'll create a backend pool that consists of two Windows servers running IIS, Microsoft's web server service. This is a simple solution to demonstrate the Web Application Firewall and would work the same on other Application Gateway backends. After that, we'll implement and associate the Web Application Policy with the web Application Gateway and test the solution to verify functionality. Access to an Azure subscription with rights to add resources is required for the upcoming demonstration. Also, two Windows server 2019 servers need to be provisioned for the backend pool. These are deployed to the backend pool VNet configured with the Application Gateway.

We also need to define settings for the deployment coming up. We need the Application Gateway, VNet, frontend, and backend settings, as well as routing, listener, and HTTPS settings names. A full list of values for the Application Gateway is on the screen. We need settings for the backend pool, including pool name, resource group, location, and virtual machine settings. We review options for deploying IIS in the demonstration. Finally, once we have the Application Gateway and backend pool in place, we can implement the policy with the settings on the screen, then associate the Web Application Firewall Policy to the Application Gateway. Please join me in the Azure portal to get started with deploying the Application Gateway.

About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.