![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 27%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Azure Web Application Firewall
An Azure service that provides protection for web apps.
361 questions
Hello @Ramakrishnan Venkataraman ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have enabled WAF on Application gateway with many applications being hosted behind this WAF and you would like to restrict source based IP address but have few questions which I have answered below.
Azure Web Application Firewall (WAF) policy can be associated to an application gateway (global), a listener (per-site), or a path-based rule (per-URI) for them to take effect. It can be associated with any combination of application gateways, listeners, and path-based rules. So there are 3 types of WAF policy associations:
- Global WAF policy : When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.
- Per-site WAF policy : With per-site WAF policies, you can protect multiple sites with differing security needs behind a single WAF by using per-site policies.
- Per-URI policy : For even more customization down to the URI level, you can associate a WAF policy with a path-based rule.
By default, with WAF policies, more specific policies override less specific ones. This means a per-URI policy on a URL path map overrides any per-site or global WAF policy above it. If there's a global policy, and a per-site policy (a WAF policy associated with a listener), then the per-site policy overrides the global WAF policy for that listener. Other listeners without their own policies will only be affected by the global WAF policy.
Refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies
So to answer your questions,
1) Is there any mandatory condition to attach application gateway into the policy?
A) No, it is not mandatory to attach the application gateway into the policy, unless it is a requirement for you.
2) If I have a two policies: Policy-app1--->listeners-1,listeners-2 and Policy-app2--->listeners-3,listeners-4 and attached application gateway on policy-app-1 with certain set of IP address, so would that impact Policy-app-2.
A) No, the policy-app-1 will not have any impact on Policy-app-2 because policy-app2 is a more specific policy associated with listener-3 & listener-4.
For example: You have 2 sites - abc.com and xyz.com behind your Application gateway WAF v2 and you have a policy XYZ associated to the whole application gateway and there is another WAF policy ABC associated with the abc.com listener, then your site abc.com will use policy ABC and xyz.com will use policy XYZ.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.