Difference between WAF in Application Gateway and WAF Policy assigned to Application Gateway

David Gardiner 36 Reputation points MVP
2021-04-08T07:14:41.847+00:00

If I create a new Azure Application Gateway, I can enable Web Application Firewall via the Settings | Web application firewall page.

e.g.

85632-image.png

If I do that, I don't see a separate WAF resource created, and I also don't see a way to do things like add custom rules to the firewall.

Conversely, if I create a new "Web Application Firewall (WAF)" resource, then I can assign that to an Application Gateway at creation time, and then I can see the option to add custom rules.

Is there any documentation clarifying the difference between these two? All I can find seems to refer to the full "policy" type WAF. eg. https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,087 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
937 questions
Azure Web Application Firewall
{count} vote

2 answers

Sort by: Most helpful
  1. SaiKishor-MSFT 17,156 Reputation points
    2021-04-14T19:59:58.047+00:00

    @David Gardiner Thank you for reaching out to Microsoft Q&A. We apologize for the delay in response regarding your issue.

    Answering your question below-

    Before waf policies was introduced, a customer would create a v2 appgw with “waf” and have the ability to modify waf rules as you are seeing now. It still allowed for “custom waf rules” but only via PowerShell. Eventually WAF policies was introduced.

    The only real differences between a waf config (on a v2 appgw that isn’t a policy) and a “waf policy” that can be associated to the waf is:
    1- With waf polices you can associate multiple policies to various listeners/path maps on the same appgw
    2- You can assign the same “waf policy” to multiple appgws/listeners/pathmaps
    3- You can see a gui for their custom rules instead of only using Powershell to manage custom rules.

    Now-a-days, we encourage customers to migrate/associate a waf policy right away rather than continue to work via the legacy “waf config”. Hope this helps.

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    2 people found this answer helpful.
    0 comments No comments

  2. SUNOJ KUMAR YELURU 13,901 Reputation points MVP
    2021-04-08T07:34:46.467+00:00

    Hi @David Gardiner

    Refer to the below document.
    Create an application gateway with a Web Application Firewall using the Azure portal

    Create Web Application Firewall policies for Application Gateway

    https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview
    When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.

    If you want a single policy to apply to all sites, you can associate the policy with the application gateway. For more information
    see Create Web Application Firewall policies for Application Gateway to create and apply a WAF policy using the Azure portal.

    If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.

    1 person found this answer helpful.