Azure Web Application Firewall (WAF) is a cloud-based security service that provides centralized protection of web applications from common exploits and vulnerabilities. It operates at the application layer to inspect incoming web traffic and uses a set of rules to block attacks that could potentially harm your applications.
This includes protection against SQL injection attacks, cross-site scripting (XSS), and other common web threats, ensuring that only safe traffic reaches your web apps. By leveraging global threat intelligence to protect against new and evolving threats, Azure WAF helps maintain the security posture of applications without requiring extensive security expertise.
The service integrates with Azure services such as Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN), offering a scalable and secure entry-point for all your web applications hosted in Azure.
Azure Web Application Firewall offers the following security features:
Related content: Read our guide to WAF architecture (coming soon)
Azure WAF is useful for applications with various security requirements.
Web applications that handle sensitive or proprietary data, such as personal identification information, financial details, and trade secrets, are prime targets for cyber attacks. Azure WAF applies security rules and threat intelligence to detect and prevent unauthorized access and data breaches.
Its security measures also help organizations comply with regulatory requirements related to data protection and privacy. By mitigating vulnerabilities that could lead to data exposure or loss, Azure WAF supports adherence to standards such as GDPR, HIPAA, and PCI DSS.
Web applications often require user authentication to provide access to restricted areas and sensitive data. However, attackers often target authentication systems to gain unauthorized access. Azure WAF helps prevent common exploits such as credential stuffing, brute force attacks, and session hijacking.
By applying its rule sets to inspect and filter incoming traffic, Azure WAF helps ensure that only legitimate users can gain access, while malicious attempts are blocked or logged for further analysis. It also supports multi-factor authentication (MFA) enforcement policies and can be configured to detect anomalies in login patterns, which may indicate automated attack attempts.
As a cloud-based service, Azure WAF aims to provide an affordable way to secure web applications without necessitating extensive resources for threat detection and mitigation. Its out-of-the-box protection against common vulnerabilities allows organizations to uphold high security standards while adhering to budget limitations.
Azure WAF’s scalability lets organizations adjust their web application protection to keep up with changing operational demands. It helps them maintain optimal security levels as they grow or as their security needs change, without incurring prohibitive costs.
Azure WAF pricing depends on the version of Application Gateway used and the amount of data processed.
The pricing for Azure Application Gateway WAF v1 depends on the gateway size and the amount of data processed. For medium-sized gateways, the cost is $0.126 per gateway-hour, and for large gateways, it is $0.448 per gateway-hour.
Azure Application Gateway WAF v2 Stock Keeping Unit (SKU) offers autoscaling, zone redundancy, and static VIP support. Compared to v1, it provides enhanced performance, better provisioning and configuration update times, header rewrites, and WAF custom rules.
Pricing is based on gateway hours and capacity units. The cost is $0.443 per gateway-hour and $0.0144 per capacity unit-hour. Inbound data transfers are free, while outbound data transfers are charged at standard rates.
Data processing charges for Azure WAF depend on the amount of data processed by the application gateways. Prices start at $0.008 per GB for small gateways. For medium gateways, the first 10 TB per month are included, and beyond that, the cost is $0.007 per GB. For large gateways, the first 40 TB per month are included, with additional data processed at $0.0035 per GB.
Here are some of the important concepts to understand when using Azure WAF.
Azure WAF can be configured to operate in two modes:
Switching between these modes offers organizations the ability to balance between thorough monitoring for insights and proactive threat mitigation based on their current security posture and operational needs.
Azure WAF uses specialized engines to inspect and process web traffic, ensuring protection against web threats. These engines are designed to analyze HTTP requests in real time, identifying patterns and signatures that match known vulnerabilities or attack vectors.
With access to detection algorithms and a threat intelligence database, they can accurately distinguish between benign and malicious traffic. This helps defend against web application attacks such as SQL injection and cross-site scripting (XSS), and other common exploits. Depending on the version of CRS selected, Azure WAF uses different engine versions that offer varying levels of performance and feature support.
Azure WAF supports various actions to respond to detected threats, enabling control over how potential attacks are handled. The primary actions include:
The WAF can also assign an anomaly score based on rule matches, incrementing this score for each triggered rule. This mechanism allows for nuanced responses based on cumulative threat indicators rather than binary allow/block decisions.
Anomaly Scoring Mode is useful for enabling a nuanced approach to threat detection and response. Instead of evaluating each rule match in isolation, this mode aggregates the severity of all matched rules into a cumulative anomaly score. Each rule is assigned a severity level—Critical, Error, Warning, or Notice—that translates to a numeric value.
This scoring system allows Azure WAF to determine the overall risk posed by a request based on the totality of suspicious patterns identified, rather than triggering on a single match. The WAF sets a threshold for blocking traffic and if the cumulative anomaly score for a request exceeds this threshold, the request is considered malicious and blocked.
Azure WAF can be connected with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN), allowing for a centralized approach to web application security across different delivery networks. This integration allows organizations to apply consistent security policies and protections across their web application landscape.
Azure WAF’s compatibility with automation tools and services such as Azure Resource Manager (ARM) templates, REST APIs, and PowerShell scripts simplifies the configuration and management of WAF policies. This allows for automated deployment and scaling of web application firewall instances in response to changing traffic patterns or security requirements.
Integration with Microsoft Defender for Cloud provides enhanced monitoring capabilities by offering centralized visibility into the security posture of web applications protected by Azure WAF.
Coralogix sets itself apart in observability with its modern architecture, enabling real-time insights into logs, metrics, and traces with built-in cost optimization. Coralogix’s straightforward pricing covers all its platform offerings including APM, RUM, SIEM, infrastructure monitoring and much more. With unparalleled support that features less than 1 minute response times and 1 hour resolution times, Coralogix is a leading choice for thousands of organizations across the globe.