Implement Custom Rules in Azure Web Application Firewall(WAF)
Automate Azure WAF creation with TerraForm
4 min readMay 26, 2021
--
Web Application Firewall commonly known as WAF is one of the first lines of defense in protecting your web application from malicious attacks.There are 2 types of rules that are supported by Azure WAF.
- Managed Rules — These rules are managed by Azure and provide a set of pre-defined firewall rules to be implemented on your WAF. These have been identified as common rules to prevent attacks and battle tested by many of experts in the field. These rules include protection for SQL injections, XSS attacks etc. You can choose which rules you need and enable them on your WAF
- Custom Rules — If you are serious about your security, you won’t get satisfied with a set of pre-defined rules, you will need your own rules as well and that’s where custom rules come into play. Custom rules allow the user to define his own rules to protect the application and that’s what we’ll talk about today.
Prerequisites
Please note that you need a valid Azure subscription and resource group created to try this out. If you wanna try and test this out, you’ll need a working Azure FrontDoor as well
Custom Rule Field Explanation
I couldn’t find any documentation on Azure WAF custom rules other than Azure’s official documentation and I found that some details are not very clear on that documentation. So I’m gonna explain the required inputs for creating the rule first.
- Name — Name for your rule(Make sure you use a common naming convention to name your rules. This might come in handy when you are developing analytics or monitoring for these rules. I recommend to start all the custom rules in a single group with a common prefix — You have “startswith” operator in Azure metrics and you can easily define metrics for your group of rules if they start with the same prefix)
- Priority — There can be instances where multiple rules get triggered for a request. Priority defines which rule should be…
