Azure Web Application Firewall Rule Logic Processing
Life is short, break the rules - some quote from someone
While reading through our Web Application Azure Firewall documentation and asking questions to different communities and teams to learn some more specifics, I had a few questions around rule logic order. I wanted to take a quick opportunity to visualize how the rule processing order works and incorporate a few learnings as well to reinforce these concepts.
The following deck can be downloaded here:
To note you can create a Web Application Firewall (WAF) as a Azure Resource and designate the use and attach it to Azure Front Door, Azure Application Gateway, or Azure CDN. There is a slide for each WAF policy based on the attachment of Azure Web based networking service and some particular nuances to be aware of between how the rules and policy work on each attached service.
In researching each type these differences are enough to know of and document because a one size fits all approach will not work across the different network services of Azure Front Door, Azure Application Gateway, or Azure CDN.
As an example in the later WAF for Azure CDN an entire bot managed rule type does not exist as it does in WAF for Front Door or App GW.
In another example the total rules or priorities assigned are set at a total priority of 100 for Custom Rules when using Azure Application Gateway WAF, thus setting the practice of setting priorities in 10s rather than 100s to avoid this limitation.
In a final example of some of the differences - You can create a single GeoBlocking Custom Rule and include more than 10 countries to block via a ARM template deployment of the WAF policy for Azure Application Gateway,
Than you can via the Azure Portal while creating the Custom Rule due to a UI limitation and error message you receive.
I will also be working on a YouTube video for my channel in the coming days exploring each WAF policy and some more of the nuanced tips and tricks I learned along the way.
Be sure to Subscribe to be alerted when the video is available.