Cloud Web Application Firewall — AWS WAF, Azure WAF & Cloud Armor Guide
In this tutorial, you'll learn about Cloud Web Application Firewall. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
A cloud web application firewall protects HTTP-based applications from common attacks like SQL Injection and cross-site scripting, with AWS WAF, Azure WAF, and GCP Cloud Armor each offering managed rule sets and custom rules.
What You Will Learn
How to deploy and tune WAF rules across the three major clouds, block OWASP Top 10 attacks, rate-limit abusive clients, and integrate with your CI/CD pipeline.
Why It Matters
Application-layer attacks account for over 40 percent of data breaches. A WAF blocks malicious traffic before it reaches your application servers, reducing the attack surface without code changes.
Real-World Use
DodaTech's SaaS platform uses AWS WAF with the OWASP core rule set in front of a Cloud Load Balancer. The WAF blocks an average of 12,000 SQL Injection attempts daily with zero false positives after tuning.
WAF Architecture
flowchart LR
Client[Internet] --> WAF[Web Application Firewall]
WAF -->|Allow| LB[Load Balancer]
WAF -->|Block| Blackhole["Blackhole / 403"]
LB --> App[Application Server]
subgraph WAF Rules
R1[SQLi Block]
R2[XSS Block]
R3[Rate Limit]
R4[IP Reputation]
end
style WAF fill:#f90,color:#fff
AWS WAF
AWS WAF integrates with CloudFront, ALB, API Gateway, and AppSync. You define web ACLs containing rules from managed rule groups or custom rule statements.
# Create a web ACL with OWASP core rule set
aws wafv2 create-web-acl \
--name prod-web-acl \
--scope REGIONAL \
--default-action Allow={} \
--rules '[
{
"Name": "AWS-AWSManagedRulesCommonRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet]
}
},
"OverrideAction": {"None": {}},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWSManagedRulesCommonRuleSet"
}
}
]' \
--visibility-config '{"SampledRequestsEnabled": true,"CloudWatchMetricsEnabled": true,"MetricName":"prod-web-acl"}'
# Associate with an ALB
aws wafv2 associate-web-acl \
--web-acl-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/prod-web-acl/id \
--resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/prod-alb/abcdef123456
Rate Limiting with AWS WAF
# Add a rate-based rule (100 requests per 5 minutes per IP)
aws wafv2 update-web-acl \
--name prod-web-acl \
--scope REGIONAL \
--rules '[
{
"Name": "rate-limit",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP]
}
},
"Action": {"Block": {}},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "rate-limit"
}
}
]'
Azure Web Application Firewall
Azure WAF runs on Application Gateway and Front Door. It offers OWASP core rule sets with per-rule tuning.
# Enable WAF on an Application Gateway
az network application-gateway waf-config set \
--resource-group prod-rg \
--gateway-name prod-appgw \
--enabled true \
--firewall-mode Prevention \
--rule-set-version 3.2
# Create a custom rule to block requests from a specific IP
az network application-gateway waf-policy custom-rule create \
--resource-group prod-rg \
--policy-name prod-waf-policy \
--name block-bad-ips \
--priority 100 \
--rule-type MatchRule \
--action Block \
--match-condition '{"matchVariables": [{"variableName": "RemoteAddr"}], "operator": "IPMatch", "negation": false, "matchValues": ["198.51.100.0/24"]}'
GCP Cloud Armor
Cloud Armor provides WAF capabilities at the edge of Google's network, integrated with Cloud Load Balancing and Cloud CDN.
# Create a security policy with OWASP rules
gcloud compute security-policies create prod-waf-policy \
--description "Production WAF policy"
# Add a rule blocking SQL injection
gcloud compute security-policies rules create 1000 \
--security-policy prod-waf-policy \
--expression "evaluatePreconfiguredExpr('sqli-v33-stable')" \
--action deny-403
# Add rate limiting
gcloud compute security-policies rules create 2000 \
--security-policy prod-waf-policy \
--expression "origin.region_code == 'US'" \
--action throttle \
--rate-limit-threshold-count 500 \
--rate-limit-threshold-interval-sec 60 \
--conform-action allow \
--exceed-action deny-429
Bot Control
All three providers offer managed bot detection that distinguishes between good bots (search engines), bad bots (scrapers), and unknown bots.
Common Mistakes
- Running WAF in detection mode only: Detection mode logs violations but does not block them. Switch to prevention mode after initial tuning.
- Not tuning managed rule sets: Default OWASP rules cause false positives. Use the count action during tuning, then switch to block after adjusting.
- Ignoring WAF logs: WAF generates rich logs showing blocked requests. Integrate them with your SIEM for attack analysis.
- Rate Limiting without good bot whitelisting: Googlebot and other legitimate crawlers trigger rate limits. Add exclusion rules for verified bot IP ranges.
- Forgetting to update WAF rules: Attack techniques evolve. Subscribe to managed rule updates and review custom rules quarterly.
Practice Questions
- What is the difference between AWS WAF and AWS Shield?
- How does Azure WAF rule priority affect packet processing?
- What GCP Cloud Armor feature rate-limits traffic based on geography?
- Why should you use count action before block action when deploying new WAF rules?
- How do managed rule sets reduce the burden of maintaining OWASP protection?
Challenge
Deploy a WAF in front of a web application across all three clouds. Create rules that block SQL Injection, cross-site scripting, and requests from known malicious IP ranges. Add Rate Limiting at 200 requests per minute per client IP. Verify by generating test traffic and checking the WAF logs.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro