Azure API Gateway WAF Security Features and Pricing

Azure API Gateway WAF offers robust security features to protect your APIs from common web attacks. It includes a rules engine that allows you to define custom rules to block or allow traffic based on specific conditions.

The WAF also provides pre-built rules from Azure Security Center, which can be easily enabled to protect against known vulnerabilities and attacks. This feature is especially useful for developers who want to quickly and easily secure their APIs without having to write custom code.

Azure API Gateway WAF Pricing is based on the number of API requests, with a free tier of 1 million requests per month. This makes it an affordable option for small to medium-sized businesses or startups that are just getting started with API development.

Azure API Gateway WAF configuration is a crucial aspect of securing your APIs. To enable a Web Application Firewall on Application Gateway, you must create a WAF policy.

A WAF policy consists of two types of security rules: custom rules and managed rule sets. Custom rules that you create can be combined with managed rule sets to create a fully customized policy that meets your specific application protection requirements.

You can configure a WAF policy and associate it to one or more application gateways for protection. Rules within a policy are processed in a priority order, with smaller integer values denoting higher priorities.

Here's a breakdown of the WAF policy configuration:

By configuring your WAF policy correctly, you can protect your APIs from common web attacks and ensure the security of your application.

To configure Azure API Gateway WAF, you need to understand Resource Group policies. Resource Group policies are used to manage and enforce security settings across multiple Azure resources.

You can create a Resource Group policy to require WAF to be enabled on all new API Gateway resources. This ensures that all new resources are protected by WAF by default.

Resource Group policies can also be used to enforce specific WAF rules on all existing API Gateway resources. This helps ensure consistency in security settings across all resources.

To create a Resource Group policy, you need to define the policy's scope, which determines which resources the policy will apply to. The scope can be set to a specific Resource Group or a subscription.

By defining a Resource Group policy, you can simplify the process of managing security settings across multiple Azure resources. This helps reduce the risk of human error and ensures that all resources are properly secured.

To configure Azure API Gateway WAF, you'll need to create a WAF policy, which includes managed rules, custom rules, exclusions, and other customizations. This policy can be associated with one or more application gateways for protection.

You can configure a WAF policy and associate it with one or more application gateways. A WAF policy consists of two types of security rules: custom rules that you create and managed rule sets that are a collection of Azure-managed preconfigured sets of rules.

Custom rules are processed before processing the rules in a managed rule set. A rule is made of a match condition, a priority, and an action. Action types supported are: ALLOW, BLOCK, and LOG.

To create a fully customized policy, you can combine managed and custom rules. Rules within a policy are processed in a priority order, with smaller integer values denoting higher priorities.

Here are the key components of a WAF policy:

You can create a WAF policy and associate it with one or more application gateways. A WAF policy can be associated at the global level, at a per-site level, or at a per-URI level.

DDoS protection modes are crucial for securing public IP addresses. There are two main modes: Enabled and Disabled.

The DDoS protection mode of the public IP is determined by the ProtectionMode value in the DDoS settings. This value can be set to either Enabled or Disabled.

In Detection mode, the Application Gateway WAF monitors and logs all threat alerts, but it doesn't block incoming requests. This mode is recommended for newly deployed WAFs in a production environment to obtain firewall logs and update exceptions or custom rules.

Prevention mode blocks intrusions and attacks that the rules detect, and the attacker receives a "403 unauthorized access" exception. The connection is closed, and the attack is recorded in the WAF logs.

Anomaly Scoring mode is the default for OWASP 3.x and uses a numeric value called the Anomaly Score to determine whether to block traffic. The severity of rule matches contributes to this score: Critical (5), Error (4), Warning (3), and Notice (2).

Here are the severity values and their corresponding Anomaly Score contributions:

The Anomaly Score threshold for blocking traffic is 5. A single Critical rule match is enough to block a request, while a single Warning rule match only increases the Anomaly Score by 3.

SKU Pricing is a crucial aspect of Azure API Gateway WAF configuration. The pricing models differ for the WAF_v1 and WAF_v2 SKUs.

Application Gateway WAF SKU pricing can be found on the Application Gateway pricing page. This is where you'll learn more about the pricing models for WAF_v1 and WAF_v2 SKUs.

To get the most accurate pricing information, visit the Application Gateway pricing page.

To get started with configuring an Azure API Gateway WAF, you'll need to meet some basic prerequisites. You'll need to have a Microsoft Azure account.

Having a Microsoft Azure account is the first step, but you'll also need to ensure you have permission to access the API Management service and the Function App service in the Microsoft Azure portal.

Here's a quick rundown of the specific permissions you'll need:

Azure API Gateway WAF provides robust request and response management features.

API Gateway is a centralized entry point for managing and securing API traffic, making it a crucial component of Azure API Gateway WAF.

You can configure policies to apply rules for rate limiting, IP filtering, JWT validation, and more.

The Developer Portal enables developers to discover, test, and consume APIs, making it easier to manage API traffic.

API Gateway provides analytics and monitoring insights into API usage and performance.

Here's a summary of the key features:

In terms of request and response management, Azure API Gateway WAF supports several actions.

You can choose from Allow, Block, Log, or Anomaly score actions when a request matches a rule condition.

The Allow action passes the request through the WAF and forwards it to the back-end, while the Block action blocks the request and sends a response to the client.

The Log action logs the request in the WAF logs and continues evaluating lower priority rules.

The Anomaly score action increments the total anomaly score when a rule with this action is matched.

Here's a summary of the supported actions:

In terms of request header management, Azure API Gateway WAF supports request header configurations.

You can configure request header configurations to perform various actions, such as modifying or removing headers.

Similarly, you can configure response header configurations to perform actions such as modifying or removing headers.

The urlConfiguration action allows you to configure URL rewriting rules.

This action is useful for rewriting URLs in requests or responses.

Here's a summary of the supported actions:

DDoS Protection is a crucial feature of Azure API Gateway WAF. It can be enabled by setting the ProtectionMode to Enabled in the DdosSettings of the public IP.

The DDoS protection mode of the public IP can be set to one of the available options.

You can also associate a DDoS protection plan with the public IP by setting the ddosProtectionPlan to a valid SubResource. This plan can only be set if ProtectionMode is Enabled.

To get started with DDoS Protection, you can refer to the documentation on Application DDoS Protection.

DDoS Protection Mode is a crucial setting for public IP addresses. It determines how your IP address handles DDoS attacks.

The DDoS protection mode of the public IP is a key setting that can only be set if ProtectionMode is Enabled. This means you'll need to enable protection mode first before you can configure the DDoS protection mode.

There are different DDoS protection modes available, but the exact options depend on the specific settings of your public IP address. The DDoS protection plan associated with the public IP can only be set if ProtectionMode is Enabled, making it a crucial consideration when configuring your DDoS protection settings.

Here's a summary of the DDoS protection modes available:

The specific DDoS protection mode you choose will depend on your needs and the type of DDoS attacks you're trying to protect against.

The state of log scrubbing is a crucial setting in DDoS protection. It determines whether certain variables are scrubbed from WAF logs.

The default state is Enabled, which means that log scrubbing is turned on. This setting can be changed to Disabled if needed.

To change the state of log scrubbing, you need to specify the state in the WebApplicationFirewallScrubbingState setting. This setting is optional, but if not specified, it defaults to Enabled.

The state of log scrubbing can be defined in two ways: Enabled or Disabled. The Enabled state means that log scrubbing is turned on, while the Disabled state means that it is turned off.

Here is a summary of the possible states:

It's worth noting that the state of log scrubbing can be defined in the WebApplicationFirewallScrubbingState setting.

Anomaly Scoring mode is a powerful tool in OWASP that helps protect against DDoS attacks. It's the default mode for OWASP 3.x and offers a more nuanced approach to blocking traffic.

In this mode, traffic that matches any rule isn't immediately blocked, but rather, it's scored based on the severity of the match. There are four severity levels: Critical, Error, Warning, and Notice.

Here's a breakdown of the severity levels and their corresponding values:

The Anomaly Score is calculated by adding up the values of all matched rules. If the total score is 5 or greater, the request will be blocked, even in Prevention mode.

OWASP CRS Configuration is a crucial aspect of Azure API Gateway WAF. You can configure OWASP CRS exclusions to exclude specific variables from being scanned.

To configure an exclusion, you need to specify the match variable and the selector. The match variable determines what you want to exclude, and the selector specifies which elements in the collection this exclusion applies to.

You can use the OwaspCrsExclusionEntrySelectorMatchOperator to specify how to operate on the selector. For example, you can use the Contains operator to exclude any variables that contain a specific value.

Here are some common selector match operators you can use:

By configuring OWASP CRS exclusions, you can fine-tune your Azure API Gateway WAF to exclude specific variables and rules, reducing false positives and improving performance.