Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

WAF on Azure Explained: How It Works, Key Features and Pricing

  • 8 min read

What Is Azure Web Application Firewall (WAF)? 

Azure Web Application Firewall (WAF) is a cloud-based security service that provides centralized protection of web applications from common exploits and vulnerabilities. It operates at the application layer to inspect incoming web traffic and uses a set of rules to block attacks that could potentially harm your applications. 

This includes protection against SQL injection attacks, cross-site scripting (XSS), and other common web threats, ensuring that only safe traffic reaches your web apps. By leveraging global threat intelligence to protect against new and evolving threats, Azure WAF helps maintain the security posture of applications without requiring extensive security expertise.

The service integrates with Azure services such as Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN), offering a scalable and secure entry-point for all your web applications hosted in Azure.

In this article, you will learn:

Azure WAF Features 

Azure Web Application Firewall offers the following security features:

  1. Protection against web attacks: This includes protection against SQL injection (SQLi) and Cross-Site Scripting (XSS) attacks, two of the most common threats to web applications. By using rule sets based on the Open Web Application Security Project (OWASP) Core Rule Set, Azure WAF identifies and blocks attempts to exploit these vulnerabilities. It also protects against attacks like command injections, HTTP request smuggling, HTTP response splitting, and remote file inclusion. 
  2. Detection of common application misconfigurations: These misconfigurations can inadvertently expose web applications to security risks, making them easy targets for attackers. Azure WAF scrutinizes web traffic for patterns indicative of misconfigured web servers, such as Apache and IIS, and application settings that could potentially be exploited. By identifying these vulnerabilities early, it helps administrators rectify configuration errors before they can be used against the application.
  3. Configurable request size limits: These allow administrators to define maximum sizes for incoming requests. This feature is designed to mitigate the risk of buffer overflow attacks, where attackers attempt to overload the server by sending excessively large requests. By setting upper and lower bounds on the size of requests, the WAF filters out potential threats that rely on large payloads.
  4. Support for custom rules: These can address security requirements that are not covered by pre-configured rule sets. Administrators can define the conditions under which traffic should be allowed, blocked, or logged, based on patterns in request headers, cookies, URI strings, and other HTTP attributes. Custom rules can prioritize certain types of traffic or create exceptions for legitimate requests that might otherwise be flagged as threats.

Related content: Read our guide to WAF architecture (coming soon)

Azure WAF Use Cases 

Azure WAF is useful for applications with various security requirements.

Web Apps with Sensitive Data

Web applications that handle sensitive or proprietary data, such as personal identification information, financial details, and trade secrets, are prime targets for cyber attacks. Azure WAF applies security rules and threat intelligence to detect and prevent unauthorized access and data breaches. 

Its security measures also help organizations comply with regulatory requirements related to data protection and privacy. By mitigating vulnerabilities that could lead to data exposure or loss, Azure WAF supports adherence to standards such as GDPR, HIPAA, and PCI DSS. 

Web Apps Requiring Authentication 

Web applications often require user authentication to provide access to restricted areas and sensitive data. However, attackers often target authentication systems to gain unauthorized access. Azure WAF helps prevent common exploits such as credential stuffing, brute force attacks, and session hijacking. 

By applying its rule sets to inspect and filter incoming traffic, Azure WAF helps ensure that only legitimate users can gain access, while malicious attempts are blocked or logged for further analysis. It also supports multi-factor authentication (MFA) enforcement policies and can be configured to detect anomalies in login patterns, which may indicate automated attack attempts.

Web Apps with Tight Budget Constraints and Security Requirements 

As a cloud-based service, Azure WAF aims to provide an affordable way to secure web applications without necessitating extensive resources for threat detection and mitigation. Its out-of-the-box protection against common vulnerabilities allows organizations to uphold high security standards while adhering to budget limitations.

Azure WAF’s scalability lets organizations adjust their web application protection to keep up with changing operational demands. It helps them maintain optimal security levels as they grow or as their security needs change, without incurring prohibitive costs. 

Azure WAF Pricing 

Azure WAF pricing depends on the version of Application Gateway used and the amount of data processed.

Azure WAF with Application Gateway v1

The pricing for Azure Application Gateway WAF v1 depends on the gateway size and the amount of data processed. For medium-sized gateways, the cost is $0.126 per gateway-hour, and for large gateways, it is $0.448 per gateway-hour. 

Azure WAF with Application Gateway v2

Azure Application Gateway WAF v2 Stock Keeping Unit (SKU) offers autoscaling, zone redundancy, and static VIP support. Compared to v1, it provides enhanced performance, better provisioning and configuration update times, header rewrites, and WAF custom rules. 

Pricing is based on gateway hours and capacity units. The cost is $0.443 per gateway-hour and $0.0144 per capacity unit-hour. Inbound data transfers are free, while outbound data transfers are charged at standard rates.

Data Processing

Data processing charges for Azure WAF depend on the amount of data processed by the application gateways. Prices start at $0.008 per GB for small gateways. For medium gateways, the first 10 TB per month are included, and beyond that, the cost is $0.007 per GB. For large gateways, the first 40 TB per month are included, with additional data processed at $0.0035 per GB. 

Deep Dive: Azure WAF Under the Hood

Here are some of the important concepts to understand when using Azure WAF.

Detection and Prevention Modes 

Azure WAF can be configured to operate in two modes:

  • In detection mode, Azure WAF monitors incoming traffic and logs threats without actively blocking them. This allows organizations to assess the nature and frequency of attacks without impacting the user experience. It’s particularly useful during the initial deployment phase or when fine-tuning custom rules, helping identify false positives and adjust configurations accordingly without denying legitimate traffic.
  • In prevention mode, Azure WAF takes a more assertive approach by blocking threats in real time. It helps stop unauthorized access attempts before reaching the application layer. When an attack pattern is recognized, the offending request is immediately rejected, and a “403 Forbidden” error is returned to the user.

Switching between these modes offers organizations the ability to balance between thorough monitoring for insights and proactive threat mitigation based on their current security posture and operational needs.

WAF Engines 

Azure WAF uses specialized engines to inspect and process web traffic, ensuring protection against web threats. These engines are designed to analyze HTTP requests in real time, identifying patterns and signatures that match known vulnerabilities or attack vectors. 

With access to detection algorithms and a threat intelligence database, they can accurately distinguish between benign and malicious traffic. This helps defend against web application attacks such as SQL injection and cross-site scripting (XSS), and other common exploits. Depending on the version of CRS selected, Azure WAF uses different engine versions that offer varying levels of performance and feature support.  

Types of Azure WAF Actions 

Azure WAF supports various actions to respond to detected threats, enabling control over how potential attacks are handled. The primary actions include: 

  • Allow: Permits the request to pass through the WAF and be forwarded to the backend application, ensuring that legitimate traffic is not impeded. This is useful for requests that match custom rules associated with acceptable behavior or traffic from trusted sources.
  • Block: Prevents a request from reaching the application by sending a response directly to the client, typically a “403 Forbidden” status code, stopping potential attacks.
  • Log: For monitoring purposes, this action records details about the request in the WAF logs without blocking it, providing insights into suspicious activities.

The WAF can also assign an anomaly score based on rule matches, incrementing this score for each triggered rule. This mechanism allows for nuanced responses based on cumulative threat indicators rather than binary allow/block decisions.

Anomaly Scoring Mode 

Anomaly Scoring Mode is useful for enabling a nuanced approach to threat detection and response. Instead of evaluating each rule match in isolation, this mode aggregates the severity of all matched rules into a cumulative anomaly score. Each rule is assigned a severity level—Critical, Error, Warning, or Notice—that translates to a numeric value. 

This scoring system allows Azure WAF to determine the overall risk posed by a request based on the totality of suspicious patterns identified, rather than triggering on a single match. The WAF sets a threshold for blocking traffic and if the cumulative anomaly score for a request exceeds this threshold, the request is considered malicious and blocked. 

Integration Options 

Azure WAF can be connected with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN), allowing for a centralized approach to web application security across different delivery networks. This integration allows organizations to apply consistent security policies and protections across their web application landscape.

Azure WAF’s compatibility with automation tools and services such as Azure Resource Manager (ARM) templates, REST APIs, and PowerShell scripts simplifies the configuration and management of WAF policies. This allows for automated deployment and scaling of web application firewall instances in response to changing traffic patterns or security requirements. 

Integration with Microsoft Defender for Cloud provides enhanced monitoring capabilities by offering centralized visibility into the security posture of web applications protected by Azure WAF. 

Managed WAF and CDN with Coralogix

Coralogix sets itself apart in observability with its modern architecture, enabling real-time insights into logs, metrics, and traces with built-in cost optimization. Coralogix’s straightforward pricing covers all its platform offerings including APM, RUM, SIEM, infrastructure monitoring and much more. With unparalleled support that features less than 1 minute response times and 1 hour resolution times, Coralogix is a leading choice for thousands of organizations across the globe.

Learn more about Coralogix for WAF and CDN

Where Modern Observability
and Financial Savvy Meet.