Web Application Firewall (WAF) – Complete Guide for SC-900
Introduction
Web Application Firewall (WAF) is a critical component of Microsoft's security solutions and a key topic in the SC-900: Microsoft Security, Compliance, and Identity Fundamentals exam. Understanding WAF helps you grasp how organizations protect their web-facing applications from common exploits and vulnerabilities.
Why is Web Application Firewall (WAF) Important?
Web applications are among the most targeted assets in any organization. Attackers frequently exploit vulnerabilities such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats to compromise data, steal credentials, or disrupt services. A WAF is important because:
• It provides centralized protection for web applications without requiring changes to application code.
• It defends against common web exploits that traditional firewalls and network security devices cannot detect.
• It helps organizations meet compliance requirements (such as PCI DSS) that mandate protection of web-facing applications.
• It reduces the attack surface by filtering and monitoring HTTP/HTTPS traffic between the internet and web applications.
• It provides real-time visibility into attack patterns and malicious traffic targeting your applications.
What is a Web Application Firewall (WAF)?
A Web Application Firewall (WAF) is a security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. Unlike traditional firewalls that operate at the network layer (Layers 3 and 4), a WAF operates at the application layer (Layer 7) of the OSI model.
In the Microsoft ecosystem, WAF is available through Azure Web Application Firewall, which can be deployed with:
• Azure Application Gateway – A regional WAF deployment that protects web applications within a specific Azure region.
• Azure Front Door – A global WAF deployment that provides edge-level protection for web applications distributed across multiple regions.
• Azure CDN (Content Delivery Network) – WAF policies can also be associated with Azure CDN profiles for content protection.
Azure WAF provides preconfigured, managed rule sets based on OWASP Core Rule Set (CRS), which protect against the most common web vulnerabilities without requiring manual rule configuration.
How Does Web Application Firewall (WAF) Work?
WAF works by inspecting incoming and outgoing HTTP/HTTPS requests and responses against a set of security rules. Here is how the process works:
1. Traffic Inspection:
When a user sends an HTTP/HTTPS request to a web application, the WAF intercepts the request before it reaches the application server. The WAF inspects the request headers, query strings, request body, cookies, and URL parameters.
2. Rule Evaluation:
The WAF evaluates the request against configured rule sets. Azure WAF uses:
• OWASP Core Rule Sets (CRS) – Managed rules that protect against SQL injection, XSS, local file inclusion, command injection, and other common threats.
• Custom rules – Administrator-defined rules based on IP addresses, geolocation, request size, string matches, or rate limiting.
• Bot protection rules – Rules that identify and block malicious bots while allowing legitimate bots (such as search engine crawlers).
3. Action Taken:
Based on the rule evaluation, the WAF takes one of the following actions:
• Allow – The request is forwarded to the web application.
• Block – The request is denied, and a customizable error response is returned to the client.
• Log – The request is logged for monitoring and analysis but still forwarded to the application.
• Redirect – The request is redirected to a specified URL.
4. WAF Modes:
Azure WAF operates in two modes:
• Detection mode – The WAF monitors and logs all threat detections but does not block any requests. This is useful for initial tuning and testing.
• Prevention mode – The WAF actively blocks requests that match configured rules. This is the recommended mode for production environments.
5. Logging and Monitoring:
WAF integrates with Azure Monitor, Azure Log Analytics, and Microsoft Sentinel to provide detailed logs and alerts. Administrators can review:
• Which rules were triggered
• Source IP addresses of attacks
• Types of attacks detected
• Request and response details
Key Features of Azure WAF
• Centralized protection – Protect all web applications behind the WAF without modifying application code.
• OWASP protection – Out-of-the-box protection against OWASP Top 10 vulnerabilities.
• Custom rules – Create rules tailored to specific application needs, including geo-filtering and rate limiting.
• Bot protection – Managed bot protection rule set to distinguish good bots from bad bots.
• DDoS integration – Works alongside Azure DDoS Protection for comprehensive defense.
• Per-site and per-URI policies – Apply different WAF policies to different sites or URIs behind the same Application Gateway.
• IP reputation and geo-filtering – Block or allow traffic based on source IP address or geographic location.
WAF vs. Traditional Firewall vs. Azure Firewall
It is important to understand the differences:
• Traditional Firewall / Azure Firewall – Operates at Layers 3 and 4 (network and transport layers). Filters traffic based on IP addresses, ports, and protocols. It does not inspect HTTP/HTTPS content.
• Web Application Firewall (WAF) – Operates at Layer 7 (application layer). Inspects HTTP/HTTPS content, including headers, URLs, cookies, and request bodies. Specifically designed to protect web applications from application-layer attacks.
For the SC-900 exam, remember: Azure Firewall protects the network, while WAF protects web applications.
Common Threats WAF Protects Against
• SQL Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Local File Inclusion (LFI) and Remote File Inclusion (RFI)
• Command Injection
• HTTP Protocol Violations
• HTTP Request Smuggling
• Session Fixation
• Scanner and crawler detection
• Malicious bot activity
Exam Tips: Answering Questions on Web Application Firewall (WAF)
Here are essential tips to help you correctly answer SC-900 exam questions related to WAF:
Tip 1: Know the Layer
WAF operates at Layer 7 (Application Layer). If a question asks about protecting web applications at the application layer, WAF is the answer. If the question is about network-level protection (IP/port filtering), think Azure Firewall or NSGs instead.
Tip 2: Know the Deployment Options
Remember that Azure WAF can be deployed with Azure Application Gateway (regional) and Azure Front Door (global). If a question mentions global edge protection for web apps, think Azure Front Door with WAF. If it mentions regional protection, think Application Gateway with WAF.
Tip 3: Understand the Two Modes
Detection mode = monitor and log only. Prevention mode = actively block threats. Exam questions may test whether you know the difference between these two modes.
Tip 4: OWASP Is Key
If a question mentions protection against OWASP Top 10 threats (SQL injection, XSS, etc.), WAF is the correct answer. Azure WAF uses OWASP Core Rule Sets (CRS) as managed rules.
Tip 5: Distinguish WAF from DDoS Protection
WAF protects against application-layer attacks targeting web applications. Azure DDoS Protection protects against volumetric network-layer attacks. They complement each other but serve different purposes. If a question mentions protecting against SQL injection or XSS, choose WAF. If it mentions protecting against volumetric floods, choose DDoS Protection.
Tip 6: Centralized Protection Without Code Changes
A key benefit of WAF is that it provides centralized protection without requiring changes to the application code. This is a commonly tested concept.
Tip 7: Custom Rules and Bot Protection
Know that Azure WAF supports custom rules (geo-filtering, rate limiting, IP restrictions) and bot protection managed rule sets. If a question asks about blocking traffic from specific countries or rate limiting requests, custom WAF rules are the answer.
Tip 8: Integration with Monitoring
Azure WAF integrates with Azure Monitor and Log Analytics for logging and diagnostics. If a question asks how to monitor WAF activity, these are the correct tools.
Tip 9: Watch for Distractor Answers
Common distractor answers in exam questions include Azure Firewall, NSGs (Network Security Groups), and Microsoft Defender for Cloud. Remember:
• Azure Firewall = Network layer protection (Layers 3/4)
• NSGs = Network traffic filtering at the subnet or NIC level
• WAF = Application layer protection (Layer 7) specifically for web applications
• Microsoft Defender for Cloud = Security posture management and threat protection, but not a firewall
Tip 10: Scenario-Based Questions
For scenario questions, look for keywords like web application, HTTP/HTTPS traffic, SQL injection, cross-site scripting, OWASP, or application layer protection. These keywords strongly indicate that WAF is the correct answer.
Summary
Azure Web Application Firewall (WAF) is a Layer 7 security solution that protects web applications from common exploits and vulnerabilities. It can be deployed with Azure Application Gateway (regional) or Azure Front Door (global), uses OWASP Core Rule Sets for managed protection, supports custom rules and bot protection, and operates in either Detection or Prevention mode. For the SC-900 exam, focus on understanding what WAF protects against, how it differs from network firewalls, and where it is deployed within the Azure ecosystem.
