Microsoft Azure Web Application Firewall: Web App Protection for Small Businesses in Berlin
Microsoft Azure Web Application Firewall (WAF) protects web applications hosted on Azure Application Gateway, Azure Front Door, and Azure CDN from common web exploits including SQL injection, cross-site scripting (XSS), remote file inclusion, and the OWASP Top 10 vulnerability categories. For small businesses in Berlin running customer-facing web applications, e-commerce platforms, portals, or APIs in Azure, WAF provides application-layer security that network-layer firewalls and DDoS protection cannot address.
WAF on Application Gateway vs. Azure Front Door
Azure Application Gateway WAF is a regional load balancer with integrated WAF capabilities, appropriate for protecting web applications within a single Azure region. Application Gateway WAF operates at Layer 7, inspecting HTTP/HTTPS request content before forwarding to backend application servers. It handles SSL termination, request routing based on URL path and host headers, and session affinity alongside WAF filtering. For a Berlin-based SMB running a web application on Azure IaaS or App Service within a virtual network, Application Gateway WAF is the standard choice.
Azure Front Door WAF is a global, anycast-distributed entry point that provides WAF protection across Microsoft’s global PoP network, routing users to the nearest application instance and protecting against attacks at the network edge rather than at the application region. Front Door WAF is appropriate for applications with global user bases, latency-sensitive APIs requiring CDN acceleration, and scenarios requiring bot management at scale. For small Berlin businesses serving primarily local or European users, Application Gateway WAF is typically the more cost-effective architecture; Front Door WAF provides additional value for global reach and DDoS mitigation at scale.
OWASP Core Rule Set and Managed Rules
Azure WAF includes managed rule sets based on the OWASP Core Rule Set (CRS), which provides pre-built detection rules for the most prevalent web application attack categories: SQL injection, XSS, local file inclusion (LFI), remote file inclusion (RFI), PHP injection, Java injection, command injection, and protocol violations. The managed rule sets are maintained by Microsoft and updated as new attack patterns emerge, eliminating the need to write and maintain custom WAF rules for common attack signatures.
WAF rule sets can be operated in Detection mode (log matches without blocking) or Prevention mode (block matched requests). Detection mode is used during initial deployment to identify legitimate traffic that triggers false positives before switching to Prevention mode, which actively blocks requests that match attack signatures. Specific rules or rule groups can be disabled at the rule set level to suppress false positives for applications that use patterns the WAF misidentifies as attacks — for example, applications that accept HTML input in form fields may trigger XSS rules that need to be scoped to specific URI paths rather than applied globally.
Custom Rules and Bot Management
Beyond the managed rule sets, WAF supports custom rules that apply organization-specific access controls: geo-filtering to block traffic from specific countries, IP reputation lists for blocking known malicious IP ranges, rate limiting to defend against credential stuffing and content scraping, and custom match conditions for application-specific threat patterns. For a Berlin e-commerce business, a custom WAF rule blocking login endpoint requests from non-EU IP ranges reduces credential stuffing attack surface without affecting the expected user base.
Azure Front Door WAF includes bot management capabilities through the Microsoft Bot Manager rule set, which classifies web traffic as verified bots (search engine crawlers), unverified bots, malicious bots, and human traffic. The bot manager can allow verified bots (permitting Googlebot and Bingbot through for SEO indexing), challenge unverified bots with CAPTCHA or rate limiting, and block known malicious bots automatically. For applications subject to automated scraping, credential stuffing, or inventory hoarding attacks, bot management provides targeted mitigation without blocking legitimate human users.
WAF Monitoring and Logging
WAF logs are emitted to Azure Monitor and can be forwarded to a Log Analytics workspace for querying and alerting, to Azure Storage for long-term retention, or to an Event Hub for streaming to external SIEM systems including Microsoft Sentinel. WAF logs include the full request details, which rule was matched, the match evidence (the specific string that triggered the rule), and the action taken (detected or blocked). Analyzing WAF logs in Sentinel allows correlation with other security signals — a WAF block event followed by a successful authentication from the same IP indicates the attacker pivoted to credential attack after injection attempts failed.
Azure Monitor WAF metrics provide real-time visibility into attack volume: total requests, blocked requests, rule matches by rule ID, and geographic origin of traffic. Alert rules on sudden spikes in WAF block events detect active attack campaigns against your application. For Berlin businesses subject to NIS2 incident reporting requirements (operators of essential or important entities), WAF logs provide the evidence trail required to document the nature and scope of attempted cyberattacks against publicly accessible services.
Integration with Azure DDoS Protection and Defender for Cloud
Azure WAF operates at Layer 7 (application layer) and should be combined with Azure DDoS Protection at Layer 3/4 (network layer) for comprehensive protection against volumetric and application-layer attacks. DDoS Protection Standard detects and mitigates volumetric floods that attempt to overwhelm Application Gateway capacity before WAF can inspect individual requests. Microsoft Defender for App Service extends threat detection to the application runtime layer, detecting post-exploitation behavior on application servers behind the WAF, creating a defense-in-depth stack from network to application to runtime.
Microsoft Defender for Cloud assesses WAF configuration as part of its Secure Score recommendations, identifying misconfigured WAF deployments, application gateways without WAF enabled, and rule exclusions that significantly reduce protection scope. For Berlin businesses using Defender for Cloud to maintain their Azure security posture, WAF recommendations appear alongside compute, storage, and identity recommendations in the unified security dashboard, providing a single view of security control gaps across the entire Azure deployment.
Related Articles
- Microsoft Defender for Cloud: Defender for Cloud assesses WAF configuration as part of its Secure Score recommendations — misconfigured WAF deployments, application gateways without WAF enabled, and overly permissive rule exclusions appear as security recommendations in the unified Defender for Cloud dashboard alongside compute, storage, and identity gaps
- Microsoft Sentinel: WAF logs forwarded to a Log Analytics workspace connect directly to Sentinel for correlation with identity and endpoint signals — a WAF block event followed by a successful authentication from the same IP creates a correlated incident that indicates the attacker pivoted from injection attacks to credential-based access after being blocked
- Microsoft Azure Arc: Azure Arc-connected on-premises web servers can be managed through Azure Policy alongside Azure-native resources, but WAF protection for on-premises applications requires an Application Gateway deployed in Azure as a reverse proxy — Arc enables unified security posture management but WAF coverage still requires routing on-premises application traffic through an Azure-hosted Application Gateway