DEMO: Enabling Web Application Firewall on Application Gateway

The course is part of these learning paths

Microsoft Azure for Solution Architects
AZ-303 Exam Preparation: Technologies for Microsoft Azure Architects
AZ-104 Exam Preparation: Microsoft Azure Administrator
more_horizSee 1 more
Start course
1h 23m

This course will provide you with a foundational understanding of the different ways you can load balance traffic in Microsoft Azure. It includes guided walk-throughs from the Azure platform to give you a practical understanding of how to implement load balancing in your Azure environments.

We start by introducing the different types of load balancers, their components, and their use cases. You'll learn how to deploy a load balancer on Azure. Then we'll dive into Application Gateway and you'll learn about its features and components.
You'll also learn about Azure Front Door and how to create a Front Door instance.

We'll also take a look at Web Application Firewall, when it's used, and how to use it in conjunction with Application Gateway, Azure Front Door, and Azure CDN. Finally, you'll learn about Traffic Manager, how it works, and when to use it, as well as how to create a Traffic Manager profile.

Learning Objectives

  • Get a solid understanding of load balancing on Azure
  • Deploy a load balancer
  • Understand the features and components of Application Gateway and how to deploy it
  • Learn about Azure Front Door and how to create a Front Door instance
  • Learn about Web Application Firewall and how to deploy it on Application Gateway
  • Learn how to use Traffic Manager and how to create a Traffic Manager profile

Intended Audience

This course is intended for those who wish to learn about the different ways of performing load balancing in Azure.


To get the most out of this course, you should have a basic understanding of the Azure platform.


Hello and welcome back. In this demonstration, what we're going to do is enable Web Application Firewall with app Gateway. Now on the screen here, you can see I'm logged into my Azure portal and I'm looking at my Application Gateway, which is aptly called MyAppGateway. There are two servers on the backend of this. They're two virtual machines. It's called VM1 and VM2 and both are running IIS.

So our app Gateway is already set up as is the backend. So all we need to do here is enable Web Application Firewall. Now to do that, the first thing I need to do is create a storage account to store data for detection and prevention purposes. Now we could also use Azure monitor logs or Event Hub but for this demonstration, we'll just create a storage account.

So we'll go ahead and click the hamburger, create the resource and we'll select Storage Account from the popular list here. We'll deploy this in the LB Lab Resource Group and we'll just call this something like BW Diag Storage. There we go. Remember that storage account name needs to be unique. So we got a unique name here. We'll leave this in East U.S. and the performance can remain standard here for diagnostics and we'll leave it at the default storage V2 which is the recommended storage account kind that Microsoft recommends. And we can leave the default replication which is not really critical here.

The same thing goes for access here. We're not really using cool data. We'll use this hot. And then what we'll do is we'll review and create here. Now once we have this storage account created, what we'll do is configure the diagnostics to record data into our Application Gateway Access Log, the Application Gateway Performance log and the Application Gateway Firewall Log.

So let's go back out and we'll go into my app Gateway here. Now what we do here is go down under monitoring here and we select the Diagnostic Settings option. We can see here, we don't have any diagnostics configured for our app Gateway. So what we'll do here is we'll add one and we're just going to call this MyDiags. And then what we're going to do is archive to a storage account here and we'll keep our logs here. We're not going to worry about metrics at this point. We'll just leave the logs here collected.

Now obviously in these boxes, we can configure the retention for each of these. Now leaving this at zero means we're not setting any retention policy and what this will do is retain our data forever. So now that we're archiving to a storage account, we need to make sure that we select our storage account to archive to. We only have the one storage account here so it's been selected by default.

At this point, we can save our diagnostic setting. Let's go back out to our resource group here and now the next step in the process is to create what's called a WAF policy or a Web Application Firewall policy. We need to create that policy and then associate it with our Application Gateway. What we'll do here for this demonstration is create a basic policy with a managed default rule set. Basically, it's just a basic vanilla policy. 

Now to do this, we'll go up into the hamburger, create a resource, and then we'll search for WAF. And we can see Web Application Firewall appears. And then we'll go ahead and begin the creation process of the Web Application Firewall policy. On this screen here, we're going to configure some basics.

For the policy here, We need to indicate what resource type we're trying to protect. We select the dropdown here. We have Azure CDN Application Gateway or front door. We're going to protect Application Gateway and we'll put this in the LB Lab Resource Group. Now for instance details, we need to specify the location, the policy state and we need to give the policy a name. This policy name must be unique.

So we'll just call it MyBWPolicy. It's my blue widget policy. Now since this is a vanilla policy, we don't have to do anything crazy at this point. You can go ahead and click through to next. Under policy settings, here we can leave the defaults. If we hover over mode here, we can see that detection mode will monitor and log all threat alerts to a log file.

Prevention mode will take some corresponding action if that request matches a rule. We're gonna leave this in its default configuration here. We'll leave our rules in place. It's already pre-configured with a specific rule set and we can see what those rules are. So we'll leave the default rules in place. We're not going to do any custom rules but what we do want to do is go into association here and associate our WAF policy with an Application Gateway.

So what we'll do here is we'll associate our Application Gateway and if we do a dropdown, we can see we don't have any gateways to associate. Now I know for a fact we have the Application Gateway already created. But if you notice here, it needs to be a WAF V2 SKU for the gateway.

So what we're going to do is open up another tab here and we'll go into my app Gateway. If we look at the configuration for our Gateway, we can see that the tier is standard V2. It's not this WAF V2. So what I need to do here is change the tier and save that. So that gateway needs to be a WAF V2 tier in order to work with the Application Gateway WAF policy. So we'll cancel this. So let's go back in here and we'll go ahead and associate our Application Gateway and we'll go ahead and save it. And we can see that our deployment has succeeded.

So now that our policy has been associated with our Application Gateway, we can test the Application Gateway. What we'll do here we'll go out to our Gateway. We'll copy the IP and we can see that we're now hitting the Gateway and it's still up and running where I hit VM1 which is one of the backend VMs of the Gateway.

If we close this out, go back out to our LB Lab and then we can take a look at our policy. We can see the status is enabled. We can take a look at the activity log and we now have a Web Application Firewall policy associated with our Application Gateway.

About the Author
Thomas Mitchell
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.