Application Gateway uses WAF SKU

Security · Application Gateway · Rule · 2020_06 · Critical

Internet accessible Application Gateways should use protect endpoints with WAF.

Description

Application Gateway endpoints can optionally be configured with a Web Application Firewall (WAF) policy. When configured, every incoming request is filtered by the WAF policy.

To use a WAF policy, the Application Gateway must be deployed with a Web Application Firewall SKU.

Recommendation

Consider deploying Application Gateways with a WAF SKU to protect against common attacks.

Examples

Configure with Azure template

To deploy Application Gateways that pass this rule:

• Deploy an Application Gateway with the WAF or WAF_v2 SKU.

For example:

Azure Template snippet

{
    "type": "Microsoft.Network/applicationGateways",
    "apiVersion": "2020-11-01",
    "name": "appGw-001",
    "location": "[resourceGroup().location]",
    "properties": {
        "sku": {
            "name": "WAF_v2",
            "tier": "WAF_v2"
        },
        "webApplicationFirewallConfiguration": {
            "enabled": true,
            "firewallMode": "Prevention",
            "ruleSetType": "OWASP",
            "ruleSetVersion": "3.2",
            "disabledRuleGroups": [],
            "requestBodyCheck": true,
            "maxRequestBodySizeInKb": 128,
            "fileUploadLimitInMb": 100
        }
    }
}

Configure with Bicep

To deploy Application Gateways that pass this rule:

• Deploy an Application Gateway with the WAF or WAF_v2 SKU.

For example:

Azure Bicep snippet

resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {
  name: 'appGw-001'
  location: location
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    webApplicationFirewallConfiguration: {
      enabled: true
      firewallMode: 'Prevention'
      ruleSetType: 'OWASP'
      ruleSetVersion: '3.2'
    }
  }
}

Configure with Azure CLI

Azure CLI snippet

az network application-gateway update --sku WAF_v2 -n '<name>' -g '<resource_group>'

Configure with Azure PowerShell

Azure PowerShell snippet

$AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
$AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' -Tier 'WAF_v2'

Links

• SE:06 Network controls
• Securing PaaS deployments
• What is Azure Web Application Firewall on Azure Application Gateway?
• Azure deployment reference

Comments