WAF

Azure WAF is integrated with and can be deployed as part of:

  • Azure Application Gateway: A Layer 7 load balancer service

  • Azure Front Door: A global web application threat protection service

  • Azure CDN: A managed CDN

Best practices

  • Deploy Azure WAF v2 license on any newly exposed web application.

  • For large-scale environments with multiple Azure subscriptions and multiple web applications, use Azure WAF with Azure Front Door to protect your web applications.

  • After learning the traffic for your production web application (running WAF in learning mode), configure Azure WAF in prevention mode.

  • For protection against non-standard types of web application attacks, create your own custom rules.

  • Create custom rules to block traffic originating from known malicious IP addresses.

  • Use Azure activity logs as part of the Azure Monitor service to monitor changes in Azure WAF rules.

  • Send Azure WAF logs to Azure Sentinel to detect and remediate web-based attacks.

  • Use Azure Active Directory to limit the permissions to the Azure WAF console.