Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
688 questions
Azure WAF Security Features in Standard Tier with Front Door
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 20%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Bhushan Gawale
316
Reputation points
Hey all - I’m looking for insights regarding the security features offered by the Azure WAF when deployed in the Standard tier with Azure FD, particularly in scenarios where the customer does not want to create any custom rules.
Given that the Microsoft managed rule set and access to WAF logs are only available in the Premium tier, what specific security protections does the Standard tier provide by default?
Any insights or experiences would be greatly appreciated!
{count} votes
-
KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee2024-08-20T08:41:48.65+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
As you mentioned, we have Custom-authored rules available in the Standard Tier.
This includes,
- IP allow list and block list
- Geographic-based access control
- HTTP parameters-based access control
- Request method-based access control
- Rate limiting rules
- Size constraint
You can find more examples here : Custom rules for Azure Web Application Firewall on Azure Front Door.
In addition to these, you also have "request body inspection" and "WAF custom response" .
To answer your question, everything above needs to be configured - i.e., they are not "default".
- But please note that "request body inspection" and "WAF custom response" are one step process in both Standard and Premium
Hope this adds more clarity
Cheers,
Kapil
-
Bhushan Gawale 316 Reputation points
2024-08-20T10:36:35.13+00:00 Thanks for your response @KapilAnanth-MSFT Yes, that's correct, and I notice that different custom rules can be added in the standard tier. However, I'm curious about the value of the standard tier when customers opt not to create any custom rules.
For instance, what happens when the request body inspection setting is enabled? Is there any Microsoft documentation that specifies what it accomplishes once activated?
I would expect that any WAF should offer basic protection against common web vulnerabilities, such as XSS, SQL injection, and HTTP protocol violations.
If I assume that the standard tier inherently offers these basic protection services against web vulnerabilities, where can we access the logs? The WAF logs are only available in the premium tier.
-
KapilAnanth-MSFT 46,681 Reputation points Microsoft Employee
2024-08-26T09:38:44.1533333+00:00 May I ask where you saw that "WAF logs are only available in the premium tier"
- From this page, Logs and diagnostics - I could not find any such limitation.
Wrt "Request body inspection" - you can refer here for more info
Wrt, "XSS, SQL injection, and HTTP protocol violations." - they are covered using Default rule sets (Managed Rules)
- Since Standard does not have Managed Rules support, these attacks would not be captured with Standard WAF tier
Hope this helps
Cheers,
Kapil
Sign in to comment
Sign in to answer