Skip to content

Governance Policies Azure Networking WAF Policy

Joshua Davis edited this page Apr 5, 2026 · 2 revisions

WAF Policy

Governance policies for Waf Policy

Domain: azure-networking

Patterns

Name Description
WAF policy with OWASP 3.2 and bot protection Prevention mode WAF with managed rules, bot protection, and rate limiting

Anti-Patterns

Description Instead
Do not use Detection mode in production Set mode to Prevention to actively block attacks
Do not add broad WAF exclusions without justification Add targeted exclusions for specific rules and request fields with documented false positive evidence

References


Checks (4)

Check Severity Description
AZ-WAF-001 Required Deploy WAF policy in Prevention mode with OWASP 3.2 managed rule set and bot protection
AZ-WAF-002 Required Enable request body inspection and set appropriate size limits
AZ-WAF-003 Recommended Add custom rules for geo-filtering and rate limiting before managed rules
AZ-WAF-004 Recommended Configure WAF exclusions only for verified false positives with documented justification

AZ-WAF-001

Deploy WAF policy in Prevention mode with OWASP 3.2 managed rule set and bot protection

Severity: Required
Rationale: Detection mode only logs attacks; Prevention mode actively blocks them; OWASP 3.2 covers current threat landscape
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Companion Resources

Resource Name Purpose
Microsoft.Insights/diagnosticSettings diag-waf Diagnostic settings for WAF logs to monitor blocked requests and rule matches

AZ-WAF-002

Enable request body inspection and set appropriate size limits

Severity: Required
Rationale: Without body inspection, injection attacks in POST payloads bypass the WAF
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

AZ-WAF-003

Add custom rules for geo-filtering and rate limiting before managed rules

Severity: Recommended
Rationale: Custom rules execute first and can block traffic by geography or rate before managed rule processing
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

AZ-WAF-004

Configure WAF exclusions only for verified false positives with documented justification

Severity: Recommended
Rationale: Overly broad exclusions weaken WAF protection; each exclusion must be validated
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally