If you are using Application Gateway, with WAF enabled, this article is for you. We will see how to deploy and use a WAF Policy.

This feature will help you to manage rules, policy and custom rules for an Application Gateway or a specific listener or a route path.

To start, deploy a new WAF Policy, choose the Regional WAF as policy:

WAF Policy

Select the OWASP rule set:

Select the OWASP rule set

Customize Policy settings if you need it:

Customize Policy settings

If you need custom rule, select it here:

Сustom rule

Finally, associate the WAF policy with you App Gateway:

Associate the WAF policy with you App Gateway

It is now associated:


Here, if we modify something is this rule, it will be applied to all listeners on this App Gateway. If you need to do some exceptions, for an OWASP rule, or to allow a specific public IP to access a webpage for example, you can create an additional WAF Policy, and associate it to a specific listener. Let’s do that. I’ll create a new policy, to deny my public ip to access the website starwind.cloudyjourney.fr:

Create s WAF Policy

Let’s associate it with my listener that hosts my website:

Associate it with listener that hosts the website

When the policy is applied and if I navigate to the website, I will have a forbidden message:

Forbidden message

If I change the rule to allow my public ip now, I can browse the URL:

Browse the URL

As you can see, with WAF Policy, you can customize rules for a specific listener (website) without impacting others.

Back to blog