Azure App Gateway WAF_v2 Custom Rule evaluation of RequestUri fails to limit allowed paths

Hi Marius Shekow

You want to deny any requests that don’t match "/a/" or "/b/" and are looking for a way to achieve that through WAF policies, but it seems the WAF is not processing the full URI as you intended.

Your approach of setting a custom rule to deny traffic based on conditions related to the RequestUri is indeed valid, but it looks like the WAF is only evaluating the tail end of your paths due to the path-based routing you've set up.

Here are a couple of suggestions to improve your configuration:

1.Use a Catch-All Path Rule:

• Add a path rule like /* at the end of your path-based routing rules.
• Route it to a backend pool that returns a 403 or a custom error page.
• This ensures that any unmatched path is explicitly handled.

1. Go to your Application Gateway > Rules > Select your path-based routing rule.
2. Associate the WAF policy to the listener or globally (not per-path).
3. Ensure the default backend pool is valid (e.g., a dummy backend that returns 403, or rely on WAF to block).
4. refer:https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview
5. Use Azure Front Door Instead

• Azure Front Door (AFD) offers more granular control over routing and WAF evaluation.
• You can define global WAF policies and route-based rules with better URI visibility.
• AFD also supports geo-filtering and rate limiting more natively

3. Log and Monitor with Azure Monitor

• Use Azure Monitor and AGWFirewallLogs to track which paths are being accessed.
• This can help you fine-tune your WAF rules or identify patterns for additional blocking.

I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

If the above is unclear or you are unsure about something, please add a comment below.

Hello @G Sree Vidya , thanks for your response.

While your suggestion would technically work, it would require me to set up such a dedicated server just to serve 403 responses. I want to avoid that, because it costs money, and also such a server might be vulnerable to hacking attacks.

Instead, I would prefer have AppGW or its WAF to block requests (made to paths other than /a/.. or /b/...) directly. It seems that this is not possible and I'll need to stick to my workaround with defining an empty backend pool, which serves 502 HTTP status responses (instead of 403), but that is not a "huge" issue. Unless there is someone else who can offer a solution.

While I'm sure that Azure Front Door is more capable and suited to solve my question, we are not planning to use that product. It's too expensive.

Hello Marius Shekow

Thank you for the clarification, and I completely understand your concern about avoiding the cost and potential exposure of maintaining a dedicated backend just to return 403 responses.

You're right. Azure Application Gateway WAF currently does not support directly denying requests based on unmatched paths (e.g., anything not starting with /a/ or /b/) without routing them to a backend. The WAF custom rules are evaluated after routing decisions, which limits their ability to act as a gatekeeper for unmatched paths.

You can use the method of assigning unmatched paths to an empty backend pool in Azure Application Gateway (AppGW) to effectively block requests that don’t match /a/ or /b/.

While this results in a 502 Bad Gateway instead of a 403 Forbidden, it:

• Does not require a dedicated backend server, which saves cost and reduces attack surface.
• Effectively blocks access to unwanted paths.
• Is a commonly accepted workaround given the current limitations of AppGW and WAF.

Do let me know if you have questions.