5.4 Web Application Firewall for HTTP Workloads
Key Takeaways
- Azure Web Application Firewall protects web apps at layer 7 from common exploits such as SQL injection and cross-site scripting using managed rules plus custom rules.
- Managed rules are based on the OWASP Core Rule Set (CRS); Azure's current managed ruleset is the Default Rule Set (DRS), and CRS/DRS use anomaly scoring (rules carry severities that accumulate to a threshold).
- WAF deploys two ways: with Azure Application Gateway for regional protection and with Azure Front Door for globally distributed edge protection.
- Detection mode logs without blocking; Prevention mode actively blocks. Tune in Detection first to remove false positives, then switch to Prevention. WAF (L7) complements DDoS Protection (L3/L4).
Protect Web Applications at the Application Layer
Web Application Firewall (WAF) is the Azure control to recognize whenever the stem talks about web application threats. Microsoft describes Azure WAF as protection for web applications from common exploits such as SQL injection, cross-site scripting (XSS), and other web vulnerabilities. That makes WAF different from Azure Firewall (a managed network firewall) and from Azure DDoS Protection (network-layer availability). WAF operates at layer 7, inspecting the content of HTTP and HTTPS requests — headers, query strings, body, and URI.
WAF works through policies. A WAF policy combines managed rules and custom rules. Managed rules provide out-of-the-box protection for common vulnerability patterns; custom rules let you define your own conditions, such as a source-IP allow/block list, a rate limit, or geo-filtering. You do not memorize every rule for SC-900, but you should understand that WAF protection is rule-based and that managed rules cover the well-known web risks.
OWASP Rule Sets, Modes, and Deployment Options
The managed rules derive from the OWASP Core Rule Set (CRS). Azure's current recommended managed ruleset is the Default Rule Set (DRS), which is built on a CRS baseline and adds Microsoft Threat Intelligence rules. When you use CRS/DRS, the WAF uses anomaly scoring: each matched rule has a severity (Critical, Error, Warning, Notice) that adds to a score, and the request is blocked only when the accumulated score crosses the threshold — a single match does not automatically block.
WAF runs in one of two modes, a classic exam distinction:
| Mode | Behavior | When to use |
|---|---|---|
| Detection | Logs and monitors rule matches but does not block | Initial rollout; tune out false positives against real traffic |
| Prevention | Actively blocks requests that breach the policy | After tuning, for live protection |
Best practice is to start in Detection, review the logs, build exclusions for false positives, then switch to Prevention.
Azure offers two WAF deployment patterns, and the exam may ask which fits:
- WAF on Azure Application Gateway — a regional, dedicated layer-7 load balancer for protecting applications within a region.
- WAF on Azure Front Door — a globally distributed edge service that inspects and filters traffic close to users before it reaches the origin, ideal for public, global endpoints.
WAF policies can also be associated with Azure CDN in some configurations, but Application Gateway and Front Door are the two you must know.
Layered Design and the Naming Trap
A layered design pairs WAF with DDoS Protection. DDoS Protection handles layer 3/4 volumetric floods; WAF handles layer 7 web exploits. If a question mentions both high-volume network attacks and web exploit attempts, the safe conceptual answer is that both layers have a role — DDoS Protection for the flood, WAF for the malicious requests.
Be careful with product names. Azure Firewall and Web Application Firewall both contain "firewall," but their exam roles differ:
| Control | Layer | Protects | Typical clue |
|---|---|---|---|
| Azure Firewall | L3-L7 network | Network/application connectivity for Azure workloads | Central, stateful, FQDN, threat intel |
| Web Application Firewall | L7 web | Web apps from OWASP exploits | SQL injection, XSS, App Gateway, Front Door |
| Azure DDoS Protection | L3-L4 | Public availability under floods | Volumetric, denial of service |
| Network security group | L3-L4 | Subnet/NIC traffic | Allow/deny rules, 5-tuple |
Quick selection cues:
- Pick WAF for web application exploit protection (SQL injection, XSS, OWASP).
- Pick Azure Firewall for central network firewalling and FQDN/threat-intel filtering.
- Pick DDoS Protection for network-layer denial-of-service mitigation.
- Pick NSGs for subnet or network-interface filtering.
What WAF Inspects, and Application Gateway vs Front Door
Because WAF works at layer 7, it can read parts of a request that lower-layer controls never see: the URI, query string, request headers (including cookies and user-agent), the HTTP method, and the request body. Managed rules pattern-match these against known exploit signatures, while custom rules let you act on the same fields — for example, rate-limit by client IP, geo-filter by country, or block a specific header value.
This visibility is exactly why WAF, not Azure Firewall, is the answer for web-exploit questions: a network firewall sees IPs and ports, but WAF sees the content of the web request.
Choosing between the two deployment surfaces follows the traffic pattern:
| Factor | WAF on Application Gateway | WAF on Front Door |
|---|---|---|
| Scope | Regional (single region) | Global edge (many points of presence) |
| Best for | Apps served from one region; needs path-based routing/SSL offload | Global, public, internet-facing endpoints needing edge filtering |
| Where it filters | At the regional gateway | Close to the user, before traffic reaches the origin |
| Pairs naturally with | DDoS Protection on the VNet | Front Door's built-in edge protections |
For SC-900, you usually only need to recognize that both carry WAF and to map regional → Application Gateway and global edge → Front Door.
OWASP Top 10 Context and Common Traps
The exploits WAF defends against are drawn from the OWASP Top 10 — the industry list of the most critical web application risks, of which injection (including SQL injection) and cross-site scripting are perennial members. You do not need to memorize the full list, but knowing that "OWASP" in a stem signals web application risk and therefore WAF is high-value.
Two traps recur. First, candidates pick Azure Firewall because it also says "firewall" — but unless the stem mentions web exploits, HTTP content, Application Gateway, or Front Door, a network firewall is not a WAF. Second, candidates assume WAF blocks immediately on any rule match; with anomaly scoring, a single low-severity match may only contribute points, and blocking happens at the threshold — which is why Detection mode tuning matters before Prevention mode goes live.
A scenario asks which Azure control helps protect a web application from SQL injection and cross-site scripting. Which answer is best?
A team is rolling out a new WAF policy and wants to observe which legitimate requests would be blocked before enforcing blocking. Which WAF mode should they start with?
A web application is delivered through Azure Front Door and needs policy-based web exploit protection at the global edge. Which service should be associated with it?
Which statement about how Azure WAF managed rules work is correct?