Ensure Azure Application Gateway Web application firewall (WAF) is enabled

WAF should be enabled to protect your web applications that are running behind the Application Gateway from common threats and vulnerabilities.

Risk Level: High
Cloud Entity: Azure Application Gateway
CloudGuard Rule ID: D9.AZU.NET.18
Covered by Spectral: Yes
Category: Networking & Content Delivery


ApplicationGateway should have firewall.enabled or regionalWAFPolicy.policySettings.state='Enabled'


From Portal

  1. Navigate to the Application gateways
  2. For each Application gateway:
  3. Select Web application firewall from the menu
  4. Make sure that Firewall Status is enabled and that tier is WAF.
    Note: Choosing the WAF tier allows you to enable a web application firewall for enhanced security on your web applications. Changing from the WAF tier to the standard tier is not supported.

Azure Application Gateway

Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure. You control the size of the gateway and scale your deployment based on your needs.

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset