Microsoft Makes Azure Web Application Firewall Generally Available

Microsoft's new Web Application Firewall (WAF) option for its Azure Application Gateway is now out of preview.

Microsoft first announced the centralized WAF service, which is designed to protect Web apps running in the Azure public cloud from common exploits like SQL injection and cross-site scripting attacks, at its Ignite conference last fall.

Preventing layer-7 app-level attacks is difficult, requiring laborious maintenance, patching and monitoring throughout the application tiers, according to Yousef Khalidi, Microsoft corporate vice president for Azure Networking. "A centralized Web application firewall (WAF) protects against Web attacks and simplifies security management without requiring any application changes," Khalidi said in a blog post last week announcing the release of the Azure WAF service. "Application and compliance administrators get better assurance against threats and intrusions."

Microsoft's Azure Application Gateway is the company's application delivery controller (ADC) layer-7 network service, which includes SSL termination, load distribution and URL path-based routing, and can host multiple sites, according to Khalidi. The new ADC service in Azure also offers SSL policy control and end-to-end SSL encryption and logging.

"Web Application Firewall integrated with Application Gateway's core offerings further strengthens the security portfolio and posture of applications protecting them from many of the most common Web vulnerabilities, as identified by Open Web Application Security Project's (OWASP) top 10 vulnerabilities," Khalidi noted. The WAF comes with OWASP ModSecurity Core Rule Set (3.0 or 2.2.9), designed to protect against these common threats, he added.

Besides SQL injection and cross-site scripting, Khalidi noted that WAF protects against command injection, HTTP request smuggling, HTTP response splitting and remote file inclusion attacks. It also addresses HTTP protocol violations, bots, crawlers, scanners and common misconfiguration of application infrastructures, notably in IIS and Apache.

As one would expect from a WAF, Microsoft's new services is designed to fend off denial-of-service attacks occurring simultaneously against multiple Web apps. The Azure Application Gateway can currently host up to 20 sites behind each gateway, all of which can defend against such attacks. The service is offered with the medium and large Azure Application Gateway types, which cost $94 and $333 per month, respectively.

Microsoft said it intends to add the new WAF service through its Azure Security Service, which scans cloud-based subscriptions for vulnerabilities and recommends ways to remediate issues that are discovered. That service currently didn't include protection of Web apps that aren't scanned by a WAF, though it does offer third-party firewalls from Barracuda Networks Inc., Check Point Software Technologies Inc., Cisco, CloudFlare, F5, Fortinet Inc., Imperva Inc. and Trend Micro, among others.

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.


  • Microsoft Invests $1 Billion in Next-Level AI Research

    Research outfit OpenAI and Microsoft have inked a $1 billion deal around artificial general intelligence (AGI), considered the holy grail of AI research.

  • Microsoft Streamlining Office 365 App Activations

    The Office 365 app installation experience should get a little easier for end users starting as early as next month.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.