This document discusses web application attack landscapes and how Azure Web Application Firewall (WAF) protects against them. It describes common attacks like DDoS, SQL injection, and bots. It then outlines Azure WAF's key features for protecting public and private web applications, including WAF policies, rules, bot management, and integration with services like Azure Front Door and Application Gateway. The document provides examples of how Azure WAF can be configured to lock down backends and filter traffic. It emphasizes that Azure WAF allows logging, monitoring, and custom rules to secure web applications hosted on Azure.

3. Increasing attack
surfaces

4. Web application
attack landscape
DDoS attacks
Brute force attacks that saturate
network links and resources
Example attacks
TCP Syn Flood, UDP Reflection, Amplification, Http(s) flood
Web application attacks
Exploit web application vulnerabilities
Example attacks
OWASP TOP 10: SQL injection, Cross Site Scripting, OS command
injection, Remote File Inclusion
Malicious bots
Target both infrastructure and web applications
to gain competitive advantage
Example attacks
Content and Price Scrapers, credential stuffing

5. Azure WAF
Azure Global WAF
(Front Door)
Azure Regional WAF
(Application Gateway)
Integrated with Application Gateway, dedicated protection
for both public and private web sites
Incoming requests
Other Cloud On-premises
Azure regions
Valid requests
2
1
1
2

6. Azure WAF Key Features
Incoming requests
logs
monitor
metrics
Azure regions
Azure Global WAF
(Front Door)
Azure Regional WAF
(Application Gateway)
WAF policy
OWASP rules
Bot management
Custom rules

7. Azure WAF Bot
Manager(Preview)

8. Demo






9. WAF protecting public web
sites hosted on Azure App
Service
Use case 1
Lockdown:
IP
Region 1
Azure Global WAF
(Front Door)

10. WAF protecting public web
sites hosted on Azure App
Service
Use case 1
Lockdown backends:
IP
Region 1 Region 2
Azure Global WAF
(Front Door)

11. WAF protecting private
websites in Vnet
Use case 2
Azure Regional WAF
(Application Gateway)
Private
Link
Network
Service Group

12. WAF protecting public and
private access of LOB
 Rate limiting
 Geo filtering
 http parameters filtering
Azure Region
Use case 3
AKS
WAF in region:
 managed rulesets
 deny direct internet access to origin
IP restriction and XFH
rules in region allows
access from AFD only

13. Integration with other
Azure services
Other examples
Azure Global WAF
(Front Door)
Private
Link
2
1

14. WAF choices
https://docs.microsoft.com/en-us/
azure/architecture/guide/technology-
choices/load-balancing-overview

15. Demo
Public
Internet
Web App
(USWest)
https://wafdemofr
ontdoorwebapp.az
urefd.net
https://wafdemow
ebappuswest.azur
ewebsites.net
Azure
WAN

16. userVoice
Key takeaways
https://feedback.azure.com/forums/217313
-networking?category_id=368350

17. Please evaluate this session
Your feedback is important to us!
https://aka.ms/ignite.mobileapp
https://myignite.techcommunity.microsoft.com/evaluations

18. Find this session
in Microsoft Tech
Community