|
| 1 | +--- |
| 2 | +title: Web Application Firewall on Application Gateway for Containers |
| 3 | +description: Protect your containerized applications with a Web Application Firewall (WAF) on Azure Application Gateway. |
| 4 | +author: halkazwini |
| 5 | +ms.author: halkazwini |
| 6 | +ms.service: azure-web-application-firewall |
| 7 | +ms.topic: overview |
| 8 | +ms.date: 07/22/2025 |
| 9 | + |
| 10 | +#CustomerIntent: As a developer, I want to secure my containerized applications so that I can protect them from web vulnerabilities. |
| 11 | +--- |
| 12 | + |
| 13 | +# Web Application Firewall on Application Gateway for Containers |
| 14 | + |
| 15 | +Web Application Firewall (WAF) on [Azure Application Gateway for Containers](../../application-gateway/for-containers/overview.md) actively protects your Kubernetes workloads against common exploits and vulnerabilities like SQL injections, cross-site scripting attacks and more. |
| 16 | + |
| 17 | +Application Gateway for Containers is an application layer (layer 7) [load balancing](/azure/architecture/guide/technology-choices/load-balancing-overview) and dynamic traffic management product for workloads running in a Kubernetes cluster, and is the evolution of the [Application Gateway Ingress Controller (AGIC)](../../application-gateway/ingress-controller-overview.md). Azure WAF provides real time protection for these application layer workloads through a set of proprietary managed rulesets and a framework for the creation of user generated custom rules. All of these WAF protections exist as part of a WAF policy that is attached to your Application Gateway for Containers deployment via a Security Policy resource and can be applied at the listener or route path levels. |
| 18 | + |
| 19 | +## Configuration |
| 20 | + |
| 21 | +To leverage WAF on your Application Gateway for Containers deployment, you will need to attach your WAF policy via a Security Policy. Security Policy in this context is a new child resource in Azure Resource Manager (ARM) that was introduced as part of the Application Gateway for Containers integration. The Security Policy is referenced by your Application Load Balancer (ALB) controller and helps define the scope of how your WAF policy is applied to your application’s traffic. |
| 22 | +Application Gateway for Containers also introduces a new resource called ‘WebApplicationFirewallPolicy’. This custom resource defines at which points the WAF policy is applied and can be configured at the listener or route path level. This configuration is done via your Kubernetes resource’s YAML file. |
| 23 | +Here is an example YAML configuration that shows targeting a specific path called ‘pathA’ on an HTTP Route resource: |
| 24 | + |
| 25 | + |
| 26 | +```yaml |
| 27 | +apiVersion: alb.networking.azure.io/v1 |
| 28 | +kind: WebApplicationFirewallPolicy |
| 29 | +metadata: |
| 30 | + name: sample-waf-policy |
| 31 | + namespace: test-infra |
| 32 | +spec: |
| 33 | + targetRef: |
| 34 | + group: gateway.networking.k8s.io |
| 35 | + kind: HTTPRoute |
| 36 | + name: contoso-waf-route |
| 37 | + namespace: test-infra |
| 38 | + sectionNames: ["pathA"] |
| 39 | + webApplicationFirewall: |
| 40 | + id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-0 |
| 41 | +``` |
| 42 | +
|
| 43 | +## Limitations |
| 44 | +
|
| 45 | +The following functionality is not supported on a WAF Policy associated with an Application Gateway for Containers instance: |
| 46 | +- Cross Region & Cross Subscription Not Supported – Your WAF policy needs to be in the same subscription and region as your Application Gateway for Containers resource. |
| 47 | +- Core Rule Set (CRS) Managed Rules – Application Gateway for Containers WAF only supports Default Rule Set (DRS) managed rulesets. |
| 48 | +- Legacy Bot Manager Ruleset – Bot Manager Ruleset 0.1 is not supported, but all newer Bot Manager ruleset versions are supported. |
| 49 | +- Java Script Challenge Actions on Bot Manager Rules – During preview you cannot set the Action on a Bot Manager rule to Java Script Challenge. |
| 50 | +- CoPilot for Security – During preview CoPilot for Security is not supported. |
| 51 | +
|
| 52 | +## Pricing |
| 53 | +
|
| 54 | +WAF usage is billed in addition to costs associated with Application Gateway for Containers usage. When enabled on your Application Gateway for Containers resource, two additional WAF specific meters are introduced: |
| 55 | +- Application Gateway for Containers WAF Hour – this fixed cost is incurred for the duration a Security Policy has a WAF policy referenced. |
| 56 | +- Application Gateway for Containers 1 million WAF Requests – this consumption-based meter bills per 1 million requests processed by the WAF and charges for each ruleset that you have enabled. In this context, if you have the Default Ruleset (DRS) and the Bot Manager Ruleset enabled this counts as two rulesets enabled. |
| 57 | +
|
| 58 | +For more pricing information, see [Application Gateway pricing](https://azure.microsoft.com/pricing/details/application-gateway) and [Web Application Firewall pricing](https://azure.microsoft.com/pricing/details/web-application-firewall). |
| 59 | +
|
| 60 | +## Related Content |
| 61 | +
|
| 62 | +- [Azure Web Application Firewall](../../web-application-firewall/overview.md) |
| 63 | +- [Azure Web Application Firewall on Azure Application Gateway](ag-overview.md) |
| 64 | +- [Deploy Application Gateway for Containers ALB Controller](../../application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller.md) |
| 65 | +
|
0 commit comments