Tutorial / Cram Notes
Understanding Azure WAF:
Azure WAF is a cloud-based firewall service that filters and monitors HTTP traffic to and from a web application. It operates according to a set of rules that help protect apps against attacks such as SQL injection, cross-site scripting (XSS), and other common threats outlined in the OWASP (Open Web Application Security Project) top 10 vulnerabilities.
Configuring Azure WAF with Azure Application Gateway:
-
Create an Application Gateway:
- Navigate to the Azure portal and create a new Application Gateway resource.
- Choose the WAF tier which comes with built-in WAF capabilities.
- Configure the settings, including the subscription, resource group, and the location.
-
Define HTTP Settings and Listeners:
- Configure the backend pools that will point to your web application.
- Define the HTTP settings for the backend pool.
- Add listeners for the protocol types (HTTP or HTTPS) and the associated frontend IP configuration. If HTTPS is used, a certificate will be required.
-
Configure Rules and Custom Protection Policies:
- Azure WAF uses predefined rule sets such as the OWASP Core Rule Set.
- Customize or add new WAF rules to match specific requirements for your web applications.
- Set the rule action to Deny, Allow, or Log for matched traffic.
-
Monitor and Log WAF Activity:
- Enable logging through Azure Monitor to collect data on WAF’s operation and events.
- Set up diagnostic logging and send it to a Log Analytics workspace, Event Hub, or a storage account.
Example: Suppose you’re deploying an e-commerce site and want to ensure it’s protected against SQL injection attacks. You’d create an Application Gateway with WAF, configure the backend pool to your web app, set up a listener for HTTPS, and enable the SQL injection rule within the WAF rule set.
Configuring Azure WAF with Azure Front Door:
-
Create an Azure Front Door:
- In the Azure portal, create a new Front Door resource.
- Include a frontend host, backend pool, and routing rules in the setup.
-
Enable WAF on Azure Front Door:
- Create a new WAF policy and associate it with Azure Front Door.
- Select the WAF policy mode as Prevention or Detection.
- Choose the appropriate WAF rule set based on the level of protection required.
-
Customize WAF Rules and Managed Rulesets:
- Customize the rules and managed rulesets to target specific types of web vulnerabilities.
- Adjust rules to block, redirect, or allow traffic based on defined match conditions and actions.
-
Logging and Monitoring:
- Enable monitoring through Azure Metrics and Azure Monitor.
- Configure logs to capture detailed WAF data and analytics, which can be sent to Azure Monitor Logs or a log management service of your choice.
Example: For a globally distributed web application, you may leverage Azure Front Door with integrated WAF policies. Upon setting up, you enable bot protection and rate limiting to prevent DDoS attacks while logging all threat detections for review and compliance.
Comparison Between WAF on Application Gateway and Front Door:
| Feature | Application Gateway WAF | Front Door WAF |
|---|---|---|
| Traffic Routing | Regional | Global |
| OWASP Rule Set | Yes | Yes |
| Custom Rules | Yes | Yes |
| Managed Rules | Yes | Yes |
| Protection Scenarios | Standard Web App Attacks | Same + DDoS |
| Scaling | Autoscaling | Built-in Autoscaling |
| TLS Termination | Frontend IP | Frontend Host |
| Session Affinity | Supported | Supported |
| Integrated CDN | No | Yes |
Protecting Your Web Applications:
Whether you choose Application Gateway or Front Door for your WAF, the steps to set up protection for web apps are quite similar. Both solutions offer robust security features and the flexibility to define custom rules that match your organization’s needs. Integrated logging and monitoring capabilities ensure that any potential threats or anomalies are noted, enabling swift response and mitigation measures.
Practice Test with Explanation
(Single Select) Which service in Azure provides a Web Application Firewall (WAF) feature?
- A) Azure Firewall
- B) Azure Application Gateway
- C) Azure Bastion
- D) Azure Front Door
Answer: B) Azure Application Gateway
Explanation: Azure Application Gateway provides the Web Application Firewall (WAF) feature that protects web applications from common vulnerabilities and exploits.
(True/False) Azure WAF can only be configured on the Application Gateway, not on Azure Front Door or Azure Content Delivery Network (CDN).
- – True
- – False
Answer: False
Explanation: Azure WAF can be configured on Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to provide centralized protection of your web applications from common exploits and vulnerabilities.
(Multiple Select) Which of the following are true about Azure WAF custom rules?
- A) They allow you to create rules based on geographical location.
- B) They use a fixed set of rules provided by Microsoft.
- C) They can be used to block or allow specific IP addresses.
- D) They are only available for Azure Application Gateway.
Answer: A) They allow you to create rules based on geographical location. C) They can be used to block or allow specific IP addresses.
Explanation: Custom rules in Azure WAF provide the ability to create tailored rules to block or allow traffic based on certain conditions, such as geographic location or specific IP addresses. The set of rules is not fixed and it’s not exclusive to Azure Application Gateway.
(Single Select) The Azure WAF provides protection against which common security threat?
- A) Phishing Attacks
- B) DDoS Attacks
- C) SQL Injection
- D) Insider Threats
Answer: C) SQL Injection
Explanation: Azure WAF provides rule sets that are designed to protect web applications from common threats such as SQL injection, cross-site scripting (XSS), and other web vulnerabilities.
(True/False) Azure WAF on Azure Front Door supports only managed rule sets and does not support custom rules.
- – True
- – False
Answer: False
Explanation: Azure WAF on Azure Front Door supports both managed rule sets provided by Microsoft and custom rules defined by the user.
(Multiple Select) What does Azure WAF’s Managed Rule Sets provide?
- A) Regular updates and patches.
- B) Pre-configured settings for protection against common threats.
- C) Automatic blocking of all incoming traffic.
- D) Specific rules for applications running on Linux-based systems.
Answer: A) Regular updates and patches. B) Pre-configured settings for protection against common threats.
Explanation: Managed Rule Sets in Azure WAF provide regularly updated and pre-configured rules to address common threats such as SQL injection, cross-site scripting, and other vulnerabilities.
(Single Select) Which Azure service must you configure to implement WAF with end-to-end SSL encryption?
- A) Azure VPN Gateway
- B) Azure ExpressRoute
- C) Azure Application Gateway
- D) Azure Traffic Manager
Answer: C) Azure Application Gateway
Explanation: Azure Application Gateway supports Web Application Firewall (WAF) and can be configured with end-to-end SSL encryption to secure web applications.
(True/False) Azure WAF supports only stateless inspection of traffic.
- – True
- – False
Answer: False
Explanation: Azure WAF performs stateful inspection of traffic, allowing it to understand and track the state of network connections traversing it.
(Single Select) The Web Application Firewall on Azure Application Gateway uses which rule set by default?
- A) Core Rule Set (CRS) 1
- B) CRS 9
- C) CRS 0
- D) AWS WAF Rule Set
Answer: A) Core Rule Set (CRS) 1
Explanation: Azure Application Gateway WAF uses the OWASP ModSecurity Core Rule Set (CRS) 1 by default to provide protection against common web vulnerabilities.
(Multiple Select) Which of the following actions can you perform with an Azure WAF policy?
- A) Set custom rules.
- B) Define managed rules.
- C) Specify storage account for logs.
- D) Enable just-in-time (JIT) VM access.
Answer: A) Set custom rules. B) Define managed rules. C) Specify storage account for logs.
Explanation: With an Azure WAF policy, you can set custom rules, define managed rules, and specify a storage account for logs. JIT VM access is a feature of Azure Security Center and not directly related to Azure WAF.
(True/False) Azure WAF can inspect HTTPS traffic without the need for SSL termination.
- – True
- – False
Answer: False
Explanation: For Azure WAF to inspect HTTPS traffic, SSL termination must occur so that the WAF can inspect the unencrypted traffic. This process is often referred to as SSL offloading.
(Single Select) Which of the following features allows Azure WAF to block a new attack for one site and then protect all other sites?
- A) Custom rules
- B) Managed rules
- C) Threat intelligence
- D) Integrated vulnerability scanning
Answer: C) Threat intelligence
Explanation: Threat intelligence allows Azure WAF to learn from attacks on any site it protects and then use this to update its threat intelligence data and thereby provide protection across all sites it covers. Custom rules and managed rules are predefined or user-defined sets of rules; integrated vulnerability scanning is not a feature of Azure WAF.
Interview Questions
What is Web Application Firewall (WAF)?
A Web Application Firewall (WAF) is a security feature that is designed to protect web applications from attacks.
What is Azure Application Gateway?
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.
What is Azure Front Door?
Azure Front Door is a global, scalable entry point for web applications.
What is the difference between Azure Application Gateway and Azure Front Door?
Azure Application Gateway is designed for web application load balancing and security, while Azure Front Door is designed for global HTTP load balancing and delivery.
What is the purpose of Web Application Firewall (WAF)?
The purpose of a WAF is to protect web applications from attacks by filtering and monitoring web traffic.
What are the types of WAF rules?
There are three types of WAF rules rule sets, custom rules, and managed rules.
What is a rule set in WAF?
A rule set is a predefined set of rules that is designed to protect web applications from known attack patterns.
What are custom rules in WAF?
Custom rules are user-defined rules that enable you to specify which requests are allowed and which are blocked.
What are managed rules in WAF?
Managed rules are preconfigured rules that are designed to protect web applications from common attack patterns.
What is the WAF policy in Azure Application Gateway?
The WAF policy in Azure Application Gateway is a collection of WAF rules and rule groups that can be applied to the gateway.
How do you enable the WAF policy in Azure Application Gateway?
You can enable the WAF policy in Azure Application Gateway by creating a new WAF policy or selecting an existing policy.
What is the OWASP Core Rule Set (CRS)?
The OWASP Core Rule Set (CRS) is a set of rules that are designed to protect web applications from known attack patterns.
What is the purpose of the WAF diagnostics logs?
The purpose of the WAF diagnostics logs is to provide information about the requests that are blocked or allowed by the WAF.
How do you view the WAF diagnostics logs?
You can view the WAF diagnostics logs in the Azure portal or by using Azure Monitor.
What are the benefits of using WAF with Azure Application Gateway?
The benefits of using WAF with Azure Application Gateway include protecting web applications from attacks, blocking malicious traffic, and providing visibility into web application traffic.
Great post on creating and configuring a Web Application Firewall for the AZ-500 exam!
Does anyone know if Azure WAF integrates with Azure Sentinel?
I followed the steps but keep getting an error when trying to deploy the WAF in my Azure environment.
Is there any way to automate the rule updates in WAF?
Appreciate the insights!
How does Azure WAF compare to AWS WAF in terms of features?
This was very helpful for my AZ-500 preparation. Thanks!
Does anyone have experience with custom rules in Azure WAF?