-
Notifications
You must be signed in to change notification settings - Fork 7
Governance Policies Azure Networking WAF Policy
Governance policies for Waf Policy
Domain: azure-networking
| Name | Description |
|---|---|
| WAF policy with OWASP 3.2 and bot protection | Prevention mode WAF with managed rules, bot protection, and rate limiting |
| Description | Instead |
|---|---|
| Do not use Detection mode in production | Set mode to Prevention to actively block attacks |
| Do not add broad WAF exclusions without justification | Add targeted exclusions for specific rules and request fields with documented false positive evidence |
| Check | Severity | Description |
|---|---|---|
| AZ-WAF-001 | Required | Deploy WAF policy in Prevention mode with OWASP 3.2 managed rule set and bot protection |
| AZ-WAF-002 | Required | Enable request body inspection and set appropriate size limits |
| AZ-WAF-003 | Recommended | Add custom rules for geo-filtering and rate limiting before managed rules |
| AZ-WAF-004 | Recommended | Configure WAF exclusions only for verified false positives with documented justification |
Deploy WAF policy in Prevention mode with OWASP 3.2 managed rule set and bot protection
Severity: Required
Rationale: Detection mode only logs attacks; Prevention mode actively blocks them; OWASP 3.2 covers current threat landscape
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-waf | Diagnostic settings for WAF logs to monitor blocked requests and rule matches |
Enable request body inspection and set appropriate size limits
Severity: Required
Rationale: Without body inspection, injection attacks in POST payloads bypass the WAF
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
Add custom rules for geo-filtering and rate limiting before managed rules
Severity: Recommended
Rationale: Custom rules execute first and can block traffic by geography or rate before managed rule processing
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
Configure WAF exclusions only for verified false positives with documented justification
Severity: Recommended
Rationale: Overly broad exclusions weaken WAF protection; each exclusion must be validated
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration