question

flcdrg avatar image
1 Vote"
flcdrg asked SaiKishor-MSFT answered

Difference between WAF in Application Gateway and WAF Policy assigned to Application Gateway

If I create a new Azure Application Gateway, I can enable Web Application Firewall via the Settings | Web application firewall page.

e.g.

85632-image.png

If I do that, I don't see a separate WAF resource created, and I also don't see a way to do things like add custom rules to the firewall.

Conversely, if I create a new "Web Application Firewall (WAF)" resource, then I can assign that to an Application Gateway at creation time, and then I can see the option to add custom rules.

Is there any documentation clarifying the difference between these two? All I can find seems to refer to the full "policy" type WAF. eg. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview


azure-virtual-networkazure-application-gatewayazure-web-application-firewall
image.png (42.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

To follow-up, Please let us know if you have further query on this.
Please don’t forget to Accept the answer

0 Votes 0 ·
learn2skills avatar image
0 Votes"
learn2skills answered flcdrg commented

Hi @flcdrg

Refer to the below document.
Create an application gateway with a Web Application Firewall using the Azure portal

Create Web Application Firewall policies for Application Gateway

https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview
When you associate a WAF policy globally, every site behind your Application Gateway WAF is protected with the same managed rules, custom rules, exclusions, and any other configured settings.

If you want a single policy to apply to all sites, you can associate the policy with the application gateway. For more information
see Create Web Application Firewall policies for Application Gateway to create and apply a WAF policy using the Azure portal.


If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@learn2skills sure, that's how to create a WAF, but are you aware of any documentation clarifying the functional differences -eg. that you can't configure custom rules when you create the WAF from with Application Gateway?

0 Votes 0 ·

@flcdrg
Please refer to the below documentation.

Custom rules for Web Application Firewall v2 on Azure Application Gateway
Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow or block).

The maximum number of WAF custom rules is 100

Create and use Web Application Firewall v2 custom rules on Application Gateway


If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.


0 Votes 0 ·

@learn2skills it feels like you're just linking to docs pages without actually reading my question. I'm wondering if you're a real person or just a bot?

0 Votes 0 ·
SaiKishor-MSFT avatar image
1 Vote"
SaiKishor-MSFT answered

@flcdrg Thank you for reaching out to Microsoft Q&A. We apologize for the delay in response regarding your issue.

Answering your question below-

Before waf policies was introduced, a customer would create a v2 appgw with “waf” and have the ability to modify waf rules as you are seeing now. It still allowed for “custom waf rules” but only via PowerShell. Eventually WAF policies was introduced.

The only real differences between a waf config (on a v2 appgw that isn’t a policy) and a “waf policy” that can be associated to the waf is:
1- With waf polices you can associate multiple policies to various listeners/path maps on the same appgw
2- You can assign the same “waf policy” to multiple appgws/listeners/pathmaps
3- You can see a gui for their custom rules instead of only using Powershell to manage custom rules.

Now-a-days, we encourage customers to migrate/associate a waf policy right away rather than continue to work via the legacy “waf config”. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.