Azure Application Gateway Web Application Firewall Preview

This post will describe a new network security feature, the Web Application Firewall, for web applications that was launched in preview at Microsoft Ignite 2016.

Some Background

You can run a pretty complex web hosting service in Azure. Load balancing (for multi-region scale-out and failover) can be done at the DNS-level using Traffic Manager, layer 4 load balancing can be done within a virtual network (VNet) using the ARM load balancer, and a year ago, Microsoft added layer 7 functionality in the Application Gateway.

Azure Application Gateway provides layer 7 application delivery as a service [Image Credit: Microsoft]
Azure Application Gateway provides layer 7 application delivery as a service [Image Credit: Microsoft]
You can place the Application Gateway behind the Azure load balancer and in front of sets of web servers to get the following functionality:

  • HTTP load balancing: Layer 7 load balancing of HTTP(S) traffic.
  • Cookie-based session affinity: Allow application layer session affinity between a client and a HTTP(S) server.
  • Secure Sockets Layer (SSL) offload: Offload CPU-intensive encryption work from the web/application servers to the application gateway. Traffic is encrypted between the client and the application gateway, but in clear between the gateway and the servers over the trusted internal VNet.
  • End-to-End SSL: A twist on SSL offload; traffic is re-encrypted between the application gateway and the web/application server.
  • URL-based content routing: You can have farms of site content, for example a virtual directory is hosted by one set of servers. Or you can host multiple domains behind one gateway. The application sees the requested URL and forwards it to one of the web servers that hosts that content.
  • Multi-site routing: You can have up to 20 websites configured for URL-based content routing.
  • WebSocket support: There is native support of WebSocket; full-duplex communication channels over a single TCP connection. In other words, data can be sent to/from client/server within a mutually agreed session without a request.
  • Health monitoring: Servers are monitored for load balancing, and probes can be used for deeper monitoring.

Microsoft announced a preview of a new feature for application gateway, the Web Application Firewall, an additional SKU that we will have to pay for after GA if we choose to deploy it.

Web Application Firewall

There have been 2 ways to implement security for web applications in Azure:

  • Network security groups: Simple layer 4 filtering of protocol/port based on source/destination rules.
  • Network virtual appliance (NVA): A virtual machine appliance, supplied via a third party in the Azure Marketplace, that offers layer 7 security.

And now, in preview, we can add Web Application Firewall (WAF) functionality to the Application Gateway. This provides you with a Microsoft-managed, centrally run security solution that can integrate into Azure security center, and operates at layer 7, meaning that it can perform application layer inspection. This is the sort of security that protects you against modern threats such as SQL injection attacks.

The Azure Web Application Firewall [Image Credit: Microsoft]
The Azure Web Application Firewall [Image Credit: Microsoft]
A benefit of Microsoft’s approach, adding the WAF to the Application Gateway, is that many websites can be protected by 1 security instance, and you do not need to modify your applications.

Security Rules

At this time, the WAF does not allow user-defined rules — this is something Microsoft intends to add at a later point. The WAF is currently pre-configured with ModSecurity (is that more open source love from Microsoft?) and OWASP Core Rule Set, described as:

… an easily “pluggable” set of generic attack detection rules that provide a base level of protection for any web application

Some of the vulnerabilities that WAF currently protects you against are:

  • SQL injection
  • Cross-site scripting
  • Common web attacks, including command injection, remote file inclusion attack, and more.
  • HTTP protocol violations
  • HTTP protocol anomalies
  • Denial of service (DoS), including HTTP flooding and slow HTTP DoS
  • Bots, crawlers, and scanners
  • Common IIS and Apache misconfigurations

Modes of Operation

Microsoft allows you to operate WAF in two different modes:

  • Detection: The WAF does not intervene at all; issues and alerts are logged and that is all. You can use this mode to diagnose issues/alerts or to build up trust in WAF before turning it on in a production environment (after GA).
  • Prevention: WAF will use the rule set to intervene with unwanted traffic and intrusions.


WAF looks like a nice new way to implement security for web applications that are hosted in Azure. I don’t think anyone will rely solely on WAF until they can create their own rule sets, but WAF with network security groups (NSGs) could offer quite a security solution at the L4 and L7 layers.