Introduction to Web Application Firewall
Introduction to Web Application Firewall

Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.

In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.

Learning Objectives

  • Configuring detection or prevention mode
  • Implementing a WAF policy 
  • Associating a WAF policy
  • Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
  • Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined

Intended Audience

  • System administrators with responsibilities for managing web applications
  • Security professionals responsible for securing Azure web applications
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking and security principles
  • An Azure subscription (sign up for a free trial at if you don’t have a subscription)

Welcome to our first lecture. A good place to start is at the beginning, so let's get started with what exactly is a Web Application Firewall? Let's start with what a firewall is first. Although there are many variations of firewall solutions available, in it's simplest form, a firewall is a device, physical or virtual, that separates a trusted network from an untrusted network.

Commonly, an internal private network and a public network, such as the internet. Rules are created on the device that deny or allows access between the two networks. Without a firewall, our private internal resources would be exposed to the internet. The traditional firewall model does not offer much protection for web applications. Web applications need to be available to the public network to be useful. Because of that, web applications are exposed to common malicious attacks and vulnerabilities.

A Web Application Firewall protects web applications from these common exploits. To better understand what makes a Web Application Firewall different from a traditional firewall, let's compare the two. A traditional firewall will allow or deny traffic based on source and destination traffic, including IP addresses and ports.

For a public web application to work, common web ports 80 and 443 need to be open from the public internet to the internal network. This offers some protection to the internal private network but not much protection for the web applications. There are common web exploits and vulnerabilities that simple port blocking won't stop. For example, SQL injection, where an input such as a username is formatted with a SQL statement that returns information not intended to be public; or cross-site scripting that injects malicious scripts into trusted websites that's executed on visitor's web browser. 

There are also malicious bots or web-based automation processes that search for sites with vulnerabilities and known exploits. There are many other exploits cataloged as Common Vulnerabilities and Exposures or CVEs. A CVE is a method of publishing and sharing information on newly-discovered vulnerabilities. The list goes on. There are a lot of attack vectors for web-based applications. Command injections, HTTP Request Smuggling, remote file inclusions, PHP and Java attacks, just to name a few. It would be impossible for most organizations to monitor and manage all these attack vectors. 

Let's look at how Azure Web Application Firewall can help. A Web Application Firewall goes beyond simple source and destination port and IP address information, and inspects the traffic passed between the client and web service. It checks for these known exploits and blocks malicious traffic before it gets to the service hosting the application. The Web Application Firewall uses a collection of rules and policies to protect web-based services and applications.

There are two types of rules available with the Web Application Firewall. The first is a custom rule. As the name implies, custom rules are ones we create and manage. These are helpful in some situations but with all the current and emerging threats, creating and managing all the security rules would be problematic. These custom rules are processed before the second type: managed rules. A managed rule is a collection of Azure-managed pre-configured rules. These rules include Core Rule Sets or CRS 3.1, 3.0, and 2.2.9 as well as bot mitigation and other Azure-specific rules. We'll cover core rules and bot mitigation further in this course.

These options allow us to benefit from Microsoft's threat intelligent investment. Microsoft runs one of the largest networks in the world and respond to new threats on a daily basis. Once rules are created, we have two options or modes for these rules. We can enable detection mode. Detection mode monitors and logs threats. This is a good option for initial deployment to monitor what may be blocked without stopping traffic. It can also be helpful for advanced threat detection and investigation. Prevention mode blocks attacks the rule detects. When a rule is blocked, the user will get a 403 unauthorized access error and the attempt is logged. The Web Application Firewall supports three services: Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network or CDN. Each has a features and options specific to the service. Let's take a look at each next.

About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.