MicrosoftDocs
diff --git a/‎articles/application-gateway/for-containers/application-gateway-for-containers-components.md
Lines changed: 9 additions & 1 deletion b/‎articles/application-gateway/for-containers/application-gateway-for-containers-components.md
Lines changed: 9 additions & 1 deletion
diff --git a/‎articles/application-gateway/for-containers/application-gateway-for-containers-metrics.md
Lines changed: 17 additions & 7 deletions b/‎articles/application-gateway/for-containers/application-gateway-for-containers-metrics.md
Lines changed: 17 additions & 7 deletions
diff --git a/‎articles/application-gateway/for-containers/diagnostics.md
Lines changed: 62 additions & 1 deletion b/‎articles/application-gateway/for-containers/diagnostics.md
Lines changed: 62 additions & 1 deletion
@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.topic: concept-article
-ms.date: 10/15/2024
+ms.date: 7/21/2025
 ms.author: mbender
 # Customer intent: "As a cloud architect, I want to understand the components of Application Gateway for Containers, so that I can effectively configure and manage traffic routing to backend services in my cloud deployment."
 ---
@@ -49,6 +49,14 @@ This article provides detailed descriptions and requirements for components of A
 - ALB Controller consists of two running pods.
   - alb-controller pod is responsible for orchestrating customer intent to Application Gateway for Containers load balancing configuration.
   - alb-controller-bootstrap pod is responsible for management of CRDs.
+ 
+### Application Gateway for Containers security policy
+
+- An Application Gateway for Containers security policy defines additional security configurations for the ALB Controller to consume.
+- Multiple security policies can be referred by a single Application Gateway for Containers resource.
+- At this time, the only security policy type offered is `waf` for web application firewall capabilities.
+- The `waf` security policy is a one-to-one mapping between the security policy resource and a Web Application Firewall policy.
+  - Only one web application firewall policy may be referenced in any number of security policies for a defined Application Gateway for Containers resource.
 
 ## Azure / general concepts
 
 
@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.topic: concept-article
-ms.date: 02/27/2024
+ms.date: 7/21/2025
 ms.author: mbender
 
 # Customer intent: As an IT operations manager, I want to monitor performance metrics for Application Gateway for Containers, so that I can ensure optimal application performance and troubleshoot issues effectively.
@@ -18,13 +18,23 @@ Application Gateway for Containers publishes data points to [Azure Monitor](/azu
 
 | Metric Name | Description | Aggregation Type | Dimensions |
 | ----------- | ----------- | ---------------- | ---------- |
-| Backend Connection Timeouts | Count of requests that timed out waiting for a response from the backend target (includes all retry requests initiated from Application Gateway for Containers to the backend target) | Total | Backend Service |
+| Backend Connection Timeouts | Count of requests that timed out waiting for a response from the backend target (includes all retry requests initiated from Application Gateway for Containers to the backend target) | Sum | Backend Service |
 | Backend Healthy Targets | Count of healthy backend targets | Avg | Backend Service |
-| Backend HTTP Response Status | HTTP response status returned by the backend target to Application Gateway for Containers | Total | Backend Service, HTTP Response Code |
-| Connection Timeouts | Count of connections closed due to timeout between clients and Application Gateway for Containers | Total | Frontend |
-| HTTP Response Status | HTTP response status returned by Application Gateway for Containers | Total | Frontend, HTTP Response Code |
-| Total Connection Idle Timeouts | Count of connections closed, between client and Application Gateway for Containers frontend, due to exceeding idle timeout | Total | Frontend |
-| Total Requests | Count of requests Application Gateway for Containers has served | Total | Frontend |
+| Backend HTTP Response Status | HTTP response status returned by the backend target to Application Gateway for Containers | Sum | Backend Service, HTTP Response Code |
+| Connection Timeouts | Count of connections closed due to timeout between clients and Application Gateway for Containers | Sum | Frontend |
+| HTTP Response Status | HTTP response status returned by Application Gateway for Containers | Sum | Frontend, HTTP Response Code |
+| Total Connection Idle Timeouts | Count of connections closed, between client and Application Gateway for Containers frontend, due to exceeding idle timeout | Sum | Frontend |
+| Total Requests | Count of requests Application Gateway for Containers has served | Sum | Frontend |
+
+## WAF Metrics supported by Application Gateway for Containers
+
+Metrics specific to requests processed by web application firewall functionality on Application Gateway for Containers.
+
+| Metric Name | Description | Aggregation Type | Dimensions |
+| ----------- | ----------- | ---------------- | ---------- |
+| WAF Custom Rule Matches | Count of custom rule matches	| Sum | Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Name |
+| WAF Managed Rule Matches | Count of total managed rule matches | Sum | Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Group, Rule ID, Rule Set Name |
+| WAF Total Requests | Count of successful requests that WAF engine has served | Sum | Action, Country/Region, Method, Mode, Policy Name, Policy Scope |
 
 ## View Application Gateway for Containers metrics
 
 
@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.topic: concept-article
-ms.date: 9/16/2024
+ms.date: 7/21/2025
 ms.author: mbender
 # Customer intent: As a cloud engineer, I want to enable and configure diagnostic logging for Application Gateway for Containers, so that I can monitor access patterns and troubleshoot performance issues effectively.
 ---
@@ -26,6 +26,7 @@ You can use different types of logs in Azure to manage and troubleshoot Applicat
 
 * **Activity log**: You can use [Azure activity logs](/azure/azure-monitor/essentials/activity-log) (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription, and their status. Activity log entries are collected by default, and you can view them in the Azure portal.
 * **Access log**: You can use this log to view Application Gateway for Containers access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. The data may be stored in a storage account that is specified at time of enable logging.
+* **Firewall log**:  You can use the Firewall log to view the requests that are logged through either detection or prevention mode of an application gateway for containers deployment that is configured with the web application firewall. Firewall logs are collected every 60 seconds.
 
 ### Configure access log
 
@@ -146,3 +147,63 @@ Here an example of the access log emitted in JSON format to a storage account.
     "location": "northcentralus"
 }
 ```
+
+### Firewall log format
+
+The firewall log is generated only if a security policy of type `WAF` is defined. Each firewall log entry in Application Gateway for Containers contains the following information.
+
+| Value            | Description                                                                                                                                                                                                            |
+|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| TimeGenerated    | Time (UTC) when the log was created.                                                                                                                                                                                   |
+| OperationName    | Name of the operation.                                                                                                                                                                                                 |
+| InstanceId       | Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance.                                                                   |
+| ClientIp         | Originating IP for the request.                                                                                                                                                                                        |
+| ClientPort       | Originating port for the request.                                                                                                                                                                                      |
+| Action           | Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules).          |
+| Message          | User-friendly message for the triggering event. More details are provided in the details section.                                                                                                                      |
+| DetailedMessage  | Description of the rule for the triggered event.                                                                                                                                                                       |
+| DetailedData     | Specific data found in request that matched the rule for the triggered event.                                                                                                                                          |
+| FileDetails      | Configuration file that contained the rule for the triggered event.                                                                                                                                                    |
+| LineDetails      | Line number in the configuration file that triggered the event.                                                                                                                                                        |
+| Hostname         | Hostname or IP address of the Application Gateway.                                                                                                                                                                     |
+| PolicyId         | Resource ID of the web application firewall policy.                                                                                                                                                                    |
+| PolicyScope      | A named scope consisting of Kubernetes resource references the scope is applied to.                                                                                                                                    |
+| PolicyScopeName  | The name to the type of scope assignment the web application firewall policy is assigned to.                                                                                                                           |
+| RequestUri       | URL of the received request.                                                                                                                                                                                           |
+| RuleSetType      | Rule set type. The available value is Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet.                                                                                                                         |
+| RuleSetVersion   | Rule set version used for Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet.                                                                                                                                     |
+| RuleId           | Rule ID of the triggering event.                                                                                                                                                                                       |
+| TrackingId       | Generated guid by Application Gateway for Containers |
+
+```json
+{
+    "timeStamp": "2025-06-17T20:06:05+00:00",
+    "resourceId": "/SUBSCRIPTIONS/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/RESOURCEGROUPS/YYYYYY/PROVIDERS/MICROSOFT.SERVICENETWORKING/TRAFFICCONTROLLERS/ZZZZZZZ",
+    "operationName": "TrafficControllerFirewall",
+    "category": "TrafficControllerFirewallLog",
+    "properties": {
+        "instanceId": "8a02ae47-8435-4f3d-84a5-6f5ded3763f5",
+        "clientIp": "xxx.xxx.xxx.xxx",
+        "requestUri": "\/?1=1=1",
+        "ruleSetType": "Microsoft_DefaultRuleSet",
+        "ruleSetVersion": "2.1",
+        "ruleId": "949110",
+        "ruleGroup": "BLOCKING-EVALUATION",
+        "message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
+        "action": "Blocked",
+        "details": {
+            "message": "Greater and Equal to Tx:inbound_anomaly_score_threshold at TX:anomaly_score.",
+            "data": "",
+            "file": "BLOCKING-EVALUATION.conf",
+            "line": "36"
+        },
+        "hostName": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.fzXX.alb.azure.com",
+        "trackingId": "0ef125db-7fb7-48a0-b3fe-03fe0ffed873",
+        "policyId": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/YYYYYY/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/ZZZZZZZ",
+        "policyScope": "HTTPRoute-test-infra-contoso-waf-route-rule-0-match-0-waf.fzXX.alb.azure.com",
+        "policyScopeName": "Route",
+        "engine": "Azwaf"
+    },
+    "location": "northcentralus"
+}
+```