Different WAF policy per route in Front Door

Question

I'm setting up a site behind a premium Front Door profile. The site has a CMS backend at /admin/ that's getting a lot of false positive blocks from multiple of the managed rules. I've been trying to add exclusions, but it's like whac-a-mole, and doesn't seem feasible. I could just add a custom rule to allow everything under /admin/, but that doesn't seem right. Is there really no way to have different WAF policies for different routes of an endpoint, or am I missing something?

Answer 1

https://learn.microsoft.com/en-us/answers/questions/1197913/front-door-waf-policy-hierarchical-rules

based on a similar question, it seems there currently isn't a way to implement hierarchical WAF policies on Front Door or to have multiple WAF policies for a single Front Door endpoint. A single endpoint can only have one WAF policy at a time, and WAF policies cannot be assigned to the entire Front Door, only to individual endpoints. Furthermore, the policies in Azure Front Door and Azure Application Gateway are distinct from each other and cannot be used interchangeably.

However, as s an alternative where you can have a predefined template of WAF policy with all the required rules, modify it according to the endpoint(s) you are going to assign, and then create and apply the WAF policy to the respective endpoint.