Loading...

Enhancements to Azure WAF for Application Gateway now in General Availability

Enhancements to Azure WAF for Application Gateway now in General Availability

Introduction

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection for your web applications against common vulnerabilities and exploits. Web applications are increasingly targeted by malicious attacks that vulnerabilities. SQL Injection (SQLi) and Cross-Site Scripting (XSS) are examples of some well-known attacks. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching, and monitoring at many layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application developers and security teams against threats or intrusions.

 

The Azure Web Application Firewall (WAF) engine is the component that inspects traffic and determines whether a web-request represents a potential attack, then takes appropriate action depending on the configuration. Previously, when you used the Azure WAF with Application Gateway, there were certain limitations in the way you could configure and monitor your WAF deployments. We are happy to announce several enhancements to the configurations and monitoring capabilities of Azure WAF when used with Azure Application Gateway going forward.

 

We will be discussing the enhancements which Generally Available in the following sections of this blog.

Scale Limit Increases

Azure WAFs running on the next generation WAF engine can now leverage increased scale limits in key configurations covering security and application needs. The increase in scale limits allows organizations to have greater flexibility and to achieve more with fewer deployments in their environment. Increases in features such as WAF exclusions, HTTP listeners, and SSL certificates allow for better security, improved scale, easier deployment, and better management of applications. 

 

For a compressed version of the new changes introduced, you can reference the table below for more information.

Feature

Previous:

Current:

Notes:

HTTP Listeners

40

200, 100 active listeners

Limited to 100 active listeners that are routing traffic. Active listeners = total number of listeners - listeners not active.
If a default configuration inside a routing rule is set to route traffic (for example, it has a listener, a backend pool, and HTTP settings) then that also counts as a listener. For more information, see Frequently asked questions about Application Gateway.

WAF Exclusions

40

200

 

WAF IP address ranges per match condition

540

600

 

Sites

40

100

1 per HTTP listener

Redirect Configurations

40

100

 

SSL Certificates

40

100

1 per HTTP listener

Load-Balancing Rules

40

400

 

Frontend Ports

40

100

 

You can read more about the next generation WAF engine that makes this possible here, and get a full list of the supported scale limits for Application Gateways running WAF here.

 

Metrics

The WAF’s new metrics will allow security teams to monitor the total requests, managed rule matches, custom rule matches, and bot protection matches and filter them through a range of dimensions. These dimensions can assist security teams in identifying patterns in attack behaviors by splitting and filtering the metric by policy name, method, and geo-location for example. Sending the metrics to a log analytics workspace allows security teams to ingest this data using Microsoft Sentinel, where you can leverage the data using workbooks, notebooks, and analytic rules. These new metrics also allow for real time alerts to trigger against specified alert logic that you can manage with Azure Monitor.

Reference the table below to see what Metrics are available for Application Gateway WAF v2.

Metrics

Description

Dimension

WAF Total Requests

Count of successful requests that WAF engine has served

Action, Country/Region, Method, Mode, Policy Name, Policy Scope

WAF Managed Rule Matches

Count of total managed rule matches

Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Group, Rule ID, Rule Set Name

WAF Custom Rule Matches

Count of custom rule matches

Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Name

WAF Bot Protection Matches1

Count of total bot protection rule matches that have been blocked or logged from malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed.

Action, Country/Region, Bot Type, Mode, Policy Name, Policy Scope

1 Only Bot Manager Rule Set 0.1 will be displayed under “WAF Bot Protection Matches”. Requests matching Bot Manager Rule Set 1.0 will increase “WAF Total Requests” metrics, not “WAF Bot Protection Matches”.

 

You can read more about all metrics supported by Application Gateway v2 SKU here, and how to create Alert rules on metrics here.

Conclusion

With these new improvements, we hope to better meet the security needs of our customers using Azure WAF. For more information on Azure WAF with Application Gateway, please see the following documentation:

What is Azure Web Application Firewall on Azure Application Gateway? - Azure Web Application Firewall | Microsoft Learn

Best practices for Web Application Firewall on Azure Application Gateway | Microsoft Learn

 

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Building on Vercel’s eve + Azure Cosmos DB: An Agent That Remembers

Most “AI agent” demos forget everything the moment the process exits. That’s fine for a toy project, but useless for anythin...

14 hours ago

Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)

We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...

1 day ago

See our new Azure Cosmos DB Design Patterns

Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...

2 days ago

Need a different partition key in Azure Cosmos DB? Pick the right approach

Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...

2 days ago

Azure SDK Release (June 2026)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...

2 days ago

Fundamentals of Azure DevOps with SQL projects

Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...

6 days ago

Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers

Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...

7 days ago

What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)

We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...

7 days ago

Power Automate Flow — HTTP Trigger to Azure OpenAI

Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...

9 days ago

Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB

The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...

9 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy