Web Application Firewall with Azure Application Gateway
Start course

Firewalls play a critical role in securing an environment, but not all firewalls are created equally. While traditional firewalls secure a perimeter, web-based applications require a content-aware solution beyond port and IP address blocking. Azure Web Application Firewall is a cloud-native service that protects web applications from new and well-known web-based attacks.

In this course, we review Azure Web Application Firewall. We examine different options for implementing the Web Application Firewall, including using it with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network. We create and apply rulesets, including Azure managed and user-managed custom rules. We also configure diagnostic logging options and review firewall logs from the Web Application Gateway.

Learning Objectives

  • Configuring detection or prevention mode
  • Implementing a WAF policy 
  • Associating a WAF policy
  • Configuring rule sets for Azure Front Door, including Microsoft-managed and user-defined
  • Configuring rule sets for Application Gateway, including Microsoft-managed and user-defined

Intended Audience

  • System administrators with responsibilities for managing web applications
  • Security professionals responsible for securing Azure web applications
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking and security principles
  • An Azure subscription (sign up for a free trial at if you don’t have a subscription)

The Web Application Firewall works with multiple Azure services including the Azure Application Gateway. An application gateway is a web traffic load balancer. Unlike traditional load balancers that work on layer 4 of the network stack, leveraging the source and destination port and IP address for load balancing decisions, an Application Gateway makes load balancing decisions at layer 7 based on HTTP requests.

The Application Gateway provides advanced features such as SSL or TLS termination. With this option traffic between the application gateway and the backend servers is passed over a secure network unencrypted so the backend servers don't have the overhead of encrypting and decrypting traffic. This is optional, the Application Gateway also supports end-to-end encryption. It supports autoscaling to scale up or down based on traffic load, URL-based routing, directing web requests to specific backend pools based on the URL, connection draining to gracefully remove users from a backend pool, custom Error Pages, and it can rewrite HTTP headers and URLs to pass additional information with a web request.

These are just a few of the features available with the Azure Application Gateway. But how does this fit with the Web Application Firewall? Let's review the SKUs available for the Application Gateway. A SKU refers to the different sizes and versions available for a product. An Application Gateway has three sizes: Small, Medium, and Large. There are two types of gateways available, a basic application gateway and a Web Application Firewall Application Gateway. When we deploy an application gateway, we have the option to deploy it with or without a Web Application Firewall.

Notice that the firewall is only available with a Medium and Large option. There is also a Version 2 Application Gateway that's sized and priced slightly differently but still has an option with or without the Web Application Firewall. Pricing will depend on the region and the currency used, but as you may expect, the option with the Web Application Firewall costs more than without.

The steps for deploying an application gateway with a Web Application Firewall include first configuring the application gateway, then creating and applying the Web Application Firewall rules. These rules can be centrally managed and applied to one or more application gateway providing uniform management across multiple application gateways. We'll walk through deploying an application gateway with a Web Application Firewall in an upcoming demo. Let's review the Web Application Firewall options next.

About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.