MicrosoftDocs
diff --git a/‎articles/web-application-firewall/cdn/cdn-overview.md
Lines changed: 36 additions & 33 deletions b/‎articles/web-application-firewall/cdn/cdn-overview.md
Lines changed: 36 additions & 33 deletions
diff --git a/‎articles/web-application-firewall/cdn/waf-cdn-create-portal.md
Lines changed: 15 additions & 14 deletions b/‎articles/web-application-firewall/cdn/waf-cdn-create-portal.md
Lines changed: 15 additions & 14 deletions
@@ -5,15 +5,18 @@ services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
 ms.topic: overview
-ms.date: 03/09/2020
+ms.date: 03/18/2020
 ms.author: victorh
 ---
 
-# Azure Web Application Firewall with Azure CDN from Microsoft
+# Azure Web Application Firewall on Azure Content Delivery Network
 
-Azure Web Application Firewall (WAF) with CDN provides centralized protection for your web contents. WAF defends your web services against common exploits and vulnerabilities. It keeps your service highly available for your users and helps you meet compliance requirements.
+Azure Web Application Firewall (WAF) on Azure Content Delivery Network (CDN) provides centralized protection for your web content. WAF defends your web services against common exploits and vulnerabilities. It keeps your service highly available for your users and helps you meet compliance requirements.
 
-WAF on Azure CDN from Microsoft is a global and centralized solution. It's deployed on Azure network edge locations around the globe. WAF stops malicious attacks close to the attack sources, before they reach your origin. You get global protection at scale without sacrificing performance. 
+> [!IMPORTANT]
+> WAF on Azure CDN is currently in public preview and is provided with a preview service level agreement. Certain features may not be supported or may have constrained capabilities.  See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details.
+
+WAF on Azure CDN is a global and centralized solution. It's deployed on Azure network edge locations around the globe. WAF stops malicious attacks close to the attack sources, before they reach your origin. You get global protection at scale without sacrificing performance. 
 
 A WAF policy easily links to any CDN endpoint in your subscription. New rules can be deployed within minutes, so you can respond quickly to changing threat patterns.
 
@@ -23,59 +26,63 @@ A WAF policy easily links to any CDN endpoint in your subscription. New rules ca
 
 You can configure a WAF policy and associate that policy to one or more CDN endpoints for protection. A WAF policy consists of two types of security rules:
 
-- custom rules that are authored by the customer.
+- custom rules that you can create.
 
-- managed rule sets that are a collection of Azure-managed pre-configured set of rules.
+- managed rule sets that are a collection of Azure managed pre-configured rules.
 
-When both are present, custom rules are processed before processing the rules in a managed rule set. A rule is made of a match condition, a priority, and an action. Action types supported are: ALLOW, BLOCK, LOG, and REDIRECT. You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.
+When both are present, custom rules are processed before processing the rules in a managed rule set. A rule is made of a match condition, a priority, and an action. Action types supported are: *ALLOW*, *BLOCK*, *LOG*, and *REDIRECT*. You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.
 
-Rules within a policy are processed in a priority order. Priority is a unique integer that defines the order of rules to process. Smaller integer value denotes a higher priority and those rules are evaluated before rules with a higher integer value. Once a rule is matched, the corresponding action that was defined in the rule is applied to the request. Once such a match is processed, rules with lower priorities aren't processed further.
+Rules within a policy are processed in a priority order. Priority is a unique number that defines the order of rules to process. Smaller numbers are a higher priority and those rules are evaluated before rules with a larger value. Once a rule is matched, the corresponding action that was defined in the rule is applied to the request. Once such a match is processed, rules with lower priorities aren't processed further.
 
 A web application hosted on Azure CDN can have only one WAF policy associated with it at a time. However, you can have a CDN endpoint without any WAF policies associated with it. If a WAF policy is present, it's replicated to all of our edge locations to ensure consistent security policies across the world.
 
 ## WAF modes
 
 WAF policy can be configured to run in the following two modes:
 
-- **Detection mode:** When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs. You can turn on logging diagnostics for Front Door. When you use the portal, go to the **Diagnostics** section.
+- *Detection mode*: When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs. You can turn on logging diagnostics for Front Door. When you use the portal, go to the **Diagnostics** section.
 
-- **Prevention mode:** In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with lower priority are evaluated. Any matched requests are also logged in the WAF logs.
+- *Prevention mode*: In prevention mode, WAF takes the specified action if a request matches a rule. If a match is found, no further rules with a lower priority are evaluated. Any matched requests are also logged in the WAF logs.
 
 ## WAF actions
 
-WAF customers can choose to run from one of the actions when a request matches a rule's conditions:
+You can choose one of the following actions when a request matches a rule's conditions:
 
-- **Allow:**  Request passes through the WAF and is forwarded to back-end. No further lower priority rules can block this request.
-- **Block:** The request is blocked and WAF sends a response to the client without forwarding the request to the back-end.
-- **Log:**  Request is logged in the WAF logs and WAF continues evaluating lower priority rules.
-- **Redirect:** WAF redirects the request to the specified URI. The URI specified is a policy level setting. Once configured, all requests that match the **Redirect** action will be sent to that URI.
+- *Allow*: The request passes through the WAF and is forwarded to back-end. No further lower priority rules can block this request.
+- *Block*: The request is blocked and WAF sends a response to the client without forwarding the request to the back-end.
+- *Log*:  The request is logged in the WAF logs and WAF continues evaluating lower priority rules.
+- *Redirect*: WAF redirects the request to the specified URI. The URI specified is a policy level setting. Once configured, all requests that match the *Redirect* action is sent to that URI.
 
 ## WAF rules
 
-A WAF policy can consist of two types of security rules - custom rules, authored by the customer and managed rule sets, Azure-managed pre-configured set of rules.
+A WAF policy can consist of two types of security rules:
+
+- *custom rules*: rules you create yourself 
+- *managed rule sets*: Azure managed pre-configured set of rules
+
+### Custom rules
 
-### Custom authored rules
+Custom rules can have match rules and rate control rules.
 
-Custom rules may consist of match rules and rate control rules.
-You can configure custom match rules as follows:
+You can configure the following custom match rules:
 
-- **IP allow list and block list:** You can control access to your web applications based on a list of client IP addresses or IP address ranges. Both IPv4 and IPv6 address types are supported. This list can be configured to either block or allow those requests where the source IP matches an IP in the list.
+- *IP allow list and block list*: You can control access to your web applications based on a list of client IP addresses or IP address ranges. Both IPv4 and IPv6 address types are supported. This list can be configured to either block or allow those requests where the source IP matches an IP in the list.
 
-- **Geographic based access control:** You can control access to your web applications based on the country code that's associated with a client's IP address.
+- *Geographic based access control*: You can control access to your web applications based on the country code that's associated with a client's IP address.
 
-- **HTTP parameters-based access control:** You can base rules on string matches in HTTP/HTTPS request parameters.  For example, query strings, POST args, Request URI, Request Header, and Request Body.
+- *HTTP parameters-based access control*: You can base rules on string matches in HTTP/HTTPS request parameters.  For example, query strings, POST args, Request URI, Request Header, and Request Body.
 
-- **Request method-based access control:** You based rules on the HTTP request method of the request. For example, GET, PUT, or HEAD.
+- *Request method-based access control*: You base rules on the HTTP request method of the request. For example, GET, PUT, or HEAD.
 
-- **Size constraint:** You can base rules on the lengths of specific parts of a request such as query string, Uri, or request body.
+- *Size constraint*: You can base rules on the lengths of specific parts of a request such as query string, Uri, or request body.
 
-A rate control rule is to limit abnormal high traffic from any client IP.
+A rate control rule limits abnormally high traffic from any client IP address.
 
-- **Rate limiting rules:**  You may configure a threshold on the number of web requests allowed from a client IP during a one-minute duration. This rule is distinct from an IP list-based allow/block custom rule that either allows all or blocks all request from a client IP. Rate limits can be combined with additional match conditions such as HTTP(S) parameter matches for granular rate control.
+- *Rate limiting rules*: You can configure a threshold on the number of web requests allowed from a client IP address during a one-minute duration. This rule is distinct from an IP list-based allow/block custom rule that either allows all or blocks all request from a client IP address. Rate limits can be combined with additional match conditions such as HTTP(S) parameter matches for granular rate control.
 
 ### Azure-managed rule sets
 
-Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rulesets are managed by Azure, the rules are updated as needed to protect against new attack signatures. Azure-managed Default Rule Set includes rules against the following threat categories:
+Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since these rulesets are managed by Azure, the rules are updated as needed to protect against new attack signatures. The Azure managed Default Rule Set includes rules against the following threat categories:
 
 - Cross-site scripting
 - Java attacks
@@ -88,14 +95,10 @@ Azure-managed rule sets provide an easy way to deploy protection against a commo
 - Protocol attackers
 
 The version number of the Default Rule Set increments when new attack signatures are added to the rule set.
-Default Rule Set is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions (ALLOW/BLOCK/REDIRECT/LOG) per rule. Default action for managed Default RuleSet is **Block".
+The Default Rule Set is enabled by default in *Detection* mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions (ALLOW/BLOCK/REDIRECT/LOG) per rule. The default action for the managed Default Rule Set is *Block*.
 
 Custom rules are always applied before rules in the Default Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Default Rule Set are processed. You can also remove the Default Rule Set from your WAF policies.
 
-> [!IMPORTANT]
-> WAF with Azure CDN is currently in public preview and is provided with a preview service level agreement. Certain features may not be supported or may have constrained capabilities.  See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details.
-
-
 ## Configuration
 
 You can configure and deploy all WAF rule types using the Azure portal, REST APIs, Azure Resource Manager templates, and Azure PowerShell.
@@ -106,4 +109,4 @@ Monitoring for WAF with CDN is integrated with Azure Monitor to track alerts and
 
 ## Next steps
 
-- Learn about [Web Application Firewall on Azure Front Door](../afds/afds-overview.md)
+- [Tutorial: Create a WAF policy with Azure CDN using the Azure portal](waf-cdn-create-portal.md)
@@ -1,17 +1,17 @@
 ---
 title: 'Tutorial: Create WAF policy for Azure CDN - Azure portal'
-description: In this tutorial, you learn how to create a Web Application Firewall (WAF) policy by using the Azure portal.
+description: In this tutorial, you learn how to create a Web Application Firewall (WAF) policy on Azure CDN using the Azure portal.
 author: vhorne
 ms.service: web-application-firewall
 services: web-application-firewall
 ms.topic: tutorial
-ms.date: 03/09/2020
+ms.date: 03/18/2020
 ms.author: victorh
 ---
 
-# Tutorial: Create a Web Application Firewall policy with Azure CDN using the Azure portal
+# Tutorial: Create a WAF policy on Azure CDN using the Azure portal
 
-This tutorial show you how to create a basic Azure Web Application Firewall (WAF) policy and apply it to a endpoint at Azure CDN.
+This tutorial shows you how to create a basic Azure Web Application Firewall (WAF) policy and apply it to an endpoint on Azure Content Delivery Network (CDN).
 
 In this tutorial, you learn how to:
 
@@ -22,11 +22,11 @@ In this tutorial, you learn how to:
 
 ## Prerequisites
 
-Create a Front Door profile by following the instructions described in [Quickstart: Create a Front Door profile](../../cdn/cdn-create-new-endpoint.md). 
+Create an Azure CDN profile and endpoint by following the instructions in [Quickstart: Create an Azure CDN profile and endpoint](../../cdn/cdn-create-new-endpoint.md). 
 
 ## Create a Web Application Firewall policy
 
-First, create a basic WAF policy with managed Default Rule Set (DRS) by using the portal.
+First, create a basic WAF policy with a managed Default Rule Set (DRS) using the portal.
 
 1. On the top left-hand side of the screen, select **Create a resource**>search for **WAF**>select **Web application firewall** > select **Create**.
 2. In the **Basics** tab of the **Create a WAF policy** page, enter or select the following information, accept the defaults for the remaining settings, and then select **Review + create**:
@@ -48,37 +48,38 @@ First, create a basic WAF policy with managed Default Rule Set (DRS) by using th
     | Endpoint           | Select the name of your endpoint, then select **Add**.|
 
     > [!NOTE]
-    > If the endpoint is associated to a WAF policy, it is shown as grayed out. You must first remove the Endpoint from the associated policy, and then re-associate the endpoint to a new WAF policy.
+    > If the endpoint is associated with a WAF policy, it is shown grayed out. You must first remove the Endpoint from the associated policy, and then re-associate the endpoint to a new WAF policy.
 1. Select **Review + create**, then select **Create**.
 
 ## Configure Web Application Firewall policy (optional)
 
 ### Change mode
 
-When you create a WAF policy, by the default WAF policy is in **Detection** mode. In **Detection** mode, WAF does not block any requests, instead, requests matching the WAF rules are logged at WAF logs.
-To see WAF in action, you can change the mode settings from **Detection** to **Prevention**. In **Prevention** mode, requests that match rules that are defined in Default Rule Set (DRS) are blocked and logged at WAF logs.
+By default WAF policy is in *Detection* mode when you create a WAF policy. In *Detection* mode, WAF doesn't block any requests. Instead, requests matching the WAF rules are logged at WAF logs.
+
+To see WAF in action, you can change the mode settings from *Detection* to *Prevention*. In *Prevention* mode, requests that match rules that are defined in Default Rule Set (DRS) are blocked and logged at WAF logs.
 
  ![Change WAF policy mode](../media/waf-cdn-create-portal/policy.png)
 
 ### Custom rules
 
-You can create a custom rule by selecting **Add custom rule** under the **Custom rules** section. This launches the custom rule configuration page. There are two types of custom rules, **match rule** and **rate limit** rule.
-Below is an example of configuring a custom match rule to block a request if the query string contains **blockme**.
+To create a custom rule, select **Add custom rule** under the **Custom rules** section. This opens the custom rule configuration page. There are two types of custom rules: **match rule** and **rate limit** rule.
+
+The following screenshot shows a custom match rule to block a request if the query string contains the value **blockme**.
 
 ![Change WAF policy mode](../media/waf-cdn-create-portal/custommatch.png)
 
-Rate limit rule requires two additional fields: Rate limit duration and threshold as shown in below example:
+Rate limit rules require two additional fields: **Rate limit duration** and **Rate limit threshold (requests)** as shown in the following example:
 
 ![Change WAF policy mode](../media/waf-cdn-create-portal/customrate.png)
 
 ### Default Rule Set (DRS)
 
-Azure-managed Default Rule Set is enabled by default. To disable an individual rule within a rule group, expand the rules within that rule group,  select the **check box** in front of the rule number, and select **Disable** on the tab above. To change actions types for individual rules within the rule set, select the check box in front of the rule number, and then select the **Change action** tab above.
+The Azure managed Default Rule Set is enabled by default. To disable an individual rule within a rule group, expand the rules within that rule group,  select the check box in front of the rule number, and select **Disable** on the tab above. To change actions types for individual rules within the rule set, select the check box in front of the rule number, and then select the **Change action** tab above.
 
  ![Change WAF Rule Set](../media/waf-cdn-create-portal/managed2.png)
 
 ## Next steps
 
 > [!div class="nextstepaction"]
 > [Learn about Azure Web Application Firewall](../overview.md)
-> [Learn more about Azure Front Door](../../frontdoor/front-door-overview.md)