5.4 Web Application Firewall for HTTP Workloads
Key Takeaways
- Azure Web Application Firewall protects web applications from common web exploits and vulnerabilities.
- WAF policy can use managed rules and custom rules to control access to web applications.
- WAF can be applied with Azure Application Gateway for regional protection or Azure Front Door for edge protection.
- WAF complements DDoS Protection because it focuses on application-layer web traffic rather than network-layer floods.
Protect Web Applications at the Application Layer
Web Application Firewall is the Azure control to recognize when the prompt talks about web application threats. Microsoft describes Azure WAF as protection for web applications from common threats such as SQL injection, cross-site scripting, and other web exploits. That makes WAF different from Azure Firewall, which is a managed network firewall, and different from Azure DDoS Protection, which focuses on network-layer availability.
WAF works through policies. A WAF policy can combine managed rules and custom rules to control access to web applications. Managed rules provide out-of-box protection for common vulnerability patterns, while custom rules allow customer-managed conditions such as source IP range or request attributes. You do not need to memorize every rule set for SC-900, but you should understand that WAF policy is rule-based web protection.
| Web clue in a scenario | WAF reasoning |
|---|---|
| SQL injection | WAF is built to inspect web requests for common exploit patterns |
| Cross-site scripting | WAF addresses common application-layer vulnerabilities |
| HTTP or HTTPS request attributes | WAF can evaluate web request details such as headers or query strings |
| OWASP-style web risks | WAF managed rules protect against common web vulnerabilities |
| Front Door or Application Gateway | WAF policies can be associated with these web delivery services |
Azure provides more than one WAF deployment pattern. WAF with Azure Application Gateway is a regional, dedicated option for applications. WAF with Azure Front Door is a globally distributed edge option for public endpoints. The exam may not ask for deep architecture selection, but it can ask which service protects web applications or which Azure control is associated with Application Gateway and Front Door.
A layered design often uses WAF with DDoS Protection. DDoS Protection helps with layer 3 and layer 4 denial-of-service traffic. WAF helps with layer 7 web application traffic. If a question includes both high-volume network attacks and web exploit attempts, the safest conceptual answer is that both layers have a role.
WAF also needs tuning in real environments. Microsoft documentation discusses detection and prevention modes because a WAF can identify traffic that must be reviewed before blocking is enforced broadly. For SC-900, you mainly need to know that WAF can detect or block web threats through policies, and that it protects web applications rather than every kind of Azure resource.
Be careful with product names. Azure Firewall and Web Application Firewall both include firewall in the name, but their exam roles are different. Azure Firewall is about network and application connectivity policy for Azure workloads. Web Application Firewall is about protecting web applications from common exploits at the HTTP or HTTPS layer.
- Pick WAF for web application exploit protection.
- Pick Azure Firewall for central network firewalling.
- Pick DDoS Protection for network-layer denial-of-service mitigation.
- Pick NSGs for subnet or network-interface filtering.
A scenario asks which Azure control helps protect a web application from SQL injection and cross-site scripting. Which answer is best?
Which statement correctly distinguishes Azure Firewall from Azure Web Application Firewall?
A web application is delivered through Azure Front Door and needs policy-based web exploit protection at the edge. Which service should be associated with it?