Azurecloud~5 mins

WAF with Application Gateway in Azure - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Web Application Firewall (WAF) with Azure Application Gateway protects your web apps from common internet threats by filtering and monitoring web traffic. It helps keep your apps safe from attacks like SQL injection or cross-site scripting without changing your app code.

When you want to protect your web app from common security threats without modifying the app itself.

When you need to monitor and control incoming web traffic to your application.

When you want to block malicious requests before they reach your backend servers.

When you want to use a managed service that integrates easily with Azure resources.

When you want to apply security rules globally to multiple web applications behind a gateway.

Config File - application-gateway-waf.json

application-gateway-waf.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationGatewayName": {
      "type": "string",
      "defaultValue": "myAppGateway"
    },
    "wafConfig": {
      "type": "object",
      "defaultValue": {
        "enabled": true,
        "firewallMode": "Prevention",
        "ruleSetType": "OWASP",
        "ruleSetVersion": "3.2"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/applicationGateways",
      "apiVersion": "2023-02-01",
      "name": "[parameters('applicationGatewayName')]",
      "location": "eastus",
      "properties": {
        "sku": {
          "name": "WAF_v2",
          "tier": "WAF_v2",
          "capacity": 2
        },
        "gatewayIPConfigurations": [
          {
            "name": "appGatewayIpConfig",
            "properties": {
              "subnet": {
                "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"
              }
            }
          }
        ],
        "frontendIPConfigurations": [
          {
            "name": "appGatewayFrontendIP",
            "properties": {
              "publicIPAddress": {
                "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/myPublicIP"
              }
            }
          }
        ],
        "frontendPorts": [
          {
            "name": "appGatewayFrontendPort",
            "properties": {
              "port": 80
            }
          }
        ],
        "backendAddressPools": [
          {
            "name": "appGatewayBackendPool",
            "properties": {
              "backendAddresses": [
                {
                  "ipAddress": "10.0.1.4"
                },
                {
                  "ipAddress": "10.0.1.5"
                }
              ]
            }
          }
        ],
        "backendHttpSettingsCollection": [
          {
            "name": "appGatewayBackendHttpSettings",
            "properties": {
              "port": 80,
              "protocol": "Http",
              "cookieBasedAffinity": "Disabled"
            }
          }
        ],
        "httpListeners": [
          {
            "name": "appGatewayHttpListener",
            "properties": {
              "frontendIPConfiguration": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGatewayName')), '/frontendIPConfigurations/appGatewayFrontendIP')]"
              },
              "frontendPort": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGatewayName')), '/frontendPorts/appGatewayFrontendPort')]"
              },
              "protocol": "Http"
            }
          }
        ],
        "requestRoutingRules": [
          {
            "name": "rule1",
            "properties": {
              "ruleType": "Basic",
              "httpListener": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGatewayName')), '/httpListeners/appGatewayHttpListener')]"
              },
              "backendAddressPool": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGatewayName')), '/backendAddressPools/appGatewayBackendPool')]"
              },
              "backendHttpSettings": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGatewayName')), '/backendHttpSettingsCollection/appGatewayBackendHttpSettings')]"
              }
            }
          }
        ],
        "webApplicationFirewallConfiguration": {
          "enabled": true,
          "firewallMode": "Prevention",
          "ruleSetType": "OWASP",
          "ruleSetVersion": "3.2"
        }
      }
    }
  ]
}

This JSON template creates an Azure Application Gateway with WAF enabled.

sku: Chooses the WAF_v2 tier for security features.
gatewayIPConfigurations: Connects the gateway to a subnet in your virtual network.
frontendIPConfigurations: Assigns a public IP for incoming traffic.
frontendPorts: Listens on port 80 for HTTP requests.
backendAddressPools: Defines backend servers by IP addresses.
httpListeners: Listens for HTTP traffic on the frontend IP and port.
requestRoutingRules: Routes incoming requests to backend pools.
webApplicationFirewallConfiguration: Enables WAF in prevention mode using OWASP 3.2 rules.

Commands

This command deploys the Application Gateway with WAF enabled using the ARM template. It creates all necessary resources in the specified resource group.

Terminal

az deployment group create --resource-group myResourceGroup --template-file application-gateway-waf.json

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Resources/deployments/myDeployment", "name": "myDeployment", "properties": { "provisioningState": "Succeeded" }, "resourceGroup": "myResourceGroup", "status": "Succeeded" }

→

--resource-group - Specifies the Azure resource group to deploy into

→

--template-file - Specifies the ARM template file to use for deployment

This command checks the WAF configuration on the deployed Application Gateway to confirm it is enabled and in prevention mode.

Terminal

az network application-gateway show --name myAppGateway --resource-group myResourceGroup --query "webApplicationFirewallConfiguration"

Expected OutputExpected

{ "enabled": true, "firewallMode": "Prevention", "ruleSetType": "OWASP", "ruleSetVersion": "3.2" }

→

--name - Specifies the Application Gateway name

→

--resource-group - Specifies the resource group of the Application Gateway

→

--query - Filters output to show only WAF configuration

Lists any WAF policies in the resource group to verify if custom policies exist or to manage them.

Terminal

az network application-gateway waf-policy list --resource-group myResourceGroup

Expected OutputExpected

[]

→

--resource-group - Specifies the resource group to list WAF policies from

Key Concept

If you remember nothing else from this pattern, remember: enabling WAF on Application Gateway protects your web apps by filtering harmful web traffic before it reaches your servers.

Common Mistakes

Not enabling WAF in the Application Gateway configuration.

Without enabling WAF, the gateway will not filter malicious traffic, leaving your app vulnerable.

Ensure the 'webApplicationFirewallConfiguration' section has 'enabled' set to true.

Using the wrong SKU tier that does not support WAF.

Only WAF_v2 or WAF_v1 SKUs support Web Application Firewall features.

Set the SKU name and tier to 'WAF_v2' in the configuration.

Not assigning a public IP to the frontend IP configuration.

Without a public IP, the Application Gateway cannot receive internet traffic.

Assign a valid public IP resource to the frontendIPConfigurations section.

Summary

Deploy an Azure Application Gateway with WAF enabled using an ARM template.

Verify the WAF configuration is active and set to prevention mode using Azure CLI.

List WAF policies to manage or confirm custom security rules.