Azure Web Application Firewall on Application Gateway for Containers

Azure Web Application Firewall provides centralized protection of your web applications from common exploits and vulnerabilities. All Azure Web Application Firewall functionality exists inside a policy, which can be referenced at listener or path-based routing rules within the Gateway API YAML configuration.

Application Gateway for Containers implementation

Security policy

Application Gateway for Containers introduces a new child resource called SecurityPolicy in Azure Resource Manager. The SecurityPolicy resource brings scope to which Azure Web Application Firewall policies the ALB Controller can reference.

Kubernetes custom resource

Application Gateway for Containers introduces a new custom resource called WebApplicationFirewallPolicy. The custom resource is responsible for defining which Azure Web Application Firewall policy should be used at which scope.

The resource can define the following scopes:

• Gateway
• HTTPRoute

In addition, the resource can reference the following sections by name for each of the parent resources:

• Gateway: Listener
• HTTPRoute: Path

Here's an example YAML configuration that shows targeting a specific path called pathA on an HTTPRoute resource:

apiVersion: alb.networking.azure.io/v1
kind: WebApplicationFirewallPolicy
metadata:
  name: sample-waf-policy
  namespace: test-infra
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: contoso-waf-route
    namespace: test-infra
    sectionNames: ["pathA"]
  webApplicationFirewall:
    id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-0

Limitations

The following functionality is not supported on an Azure Web Application Firewall policy that's associated with Application Gateway for Containers:

• Azure Web Application Firewall integration in Microsoft Security Copilot
• JavaScript challenge actions
• Core Rule Set (CRS) 3.2 and earlier rule sets