![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 68%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVH%3C/text%3E%3C/svg%3E)
Azure Web Application Firewall
An Azure service that provides protection for web apps.
361 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 45%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hello Van Huy Tuyen,
I understand that you're trying to get clarity on the differences between Azure Application Gateway and its Web Application Firewall (WAF) features.
Azure Application Gateway acts as an application delivery controller (ADC) that provides various features like SSL termination, muti-site hosting, autoscaling, cookie-based session affinity, round-robin load distribution, and content-based routing. It enhances security through TLS policy management but does not include the comprehensive security features offered by WAF by default.
Whereas Web Application Firewall (WAF) provides an additional layer of security that actively protects your applications against common vulnerabilities and attacks like SQL injection and cross-site scripting. When you enable WAF on your Application Gateway, you get a suite of protection capabilities that are based on the OWASP Core Rule Set. The WAF can be configured through WAF policies, allowing tailored protection based on your needs.
To sum it up, while the Application Gateway provides essential routing and load balancing features, the WAF includes specialized security layers that protect against a broader array of web threats. You’ll need to enable WAF separately on your Application Gateway to take advantage of these advanced security features.
WAF supports multiple default rule sets, including CRS 3.2, CRS 3.1, and CRS 3.0. These rules protect your web applications from malicious activity. For more information, see Web Application Firewall DRS and CRS rule groups and rules.
Additionally, WAF supports custom rules and Bot protection rules set to take custom actions on requests from all bot categories.
Refer this article for Application Gateway features: https://learn.microsoft.com/en-us/azure/application-gateway/features
Refer this article to know more about benefits and features using WAF on Application Gateway: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview#benefits
I hope this has been helpful!
If above is unclear and/or you are unsure about something add a comment below.
Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.