Merge pull request #297278 from halkazwini/waf-ddos

Freshness: Application (Layer 7) DDoS protection

Author: prmerger-automator[bot]

articles/web-application-firewall/shared/application-ddos-protection.md

@@ -2,11 +2,11 @@
 title: Application DDoS protection
 titleSuffix: Azure Web Application Firewall
 description: This article explains how you can use Azure Web Application Firewall with Azure Front Door or Azure Application Gateway to protect your web applications against application layer DDoS attacks.
-author: duongau
-ms.author: duau
+author: halkazwini
+ms.author: halkazwini
 ms.service: azure-web-application-firewall
 ms.topic: concept-article
-ms.date: 06/16/2023
+ms.date: 03/31/2025
 ---
 
 # Application (Layer 7) DDoS protection
@@ -33,7 +33,7 @@ Azure WAF has many features that can be used to mitigate many different types of
 
 * Block or redirect to a static web page any traffic from outside a defined geographic region, or within a defined region that doesn't fit the application traffic pattern. For more information, see [Geo-filtering](../afds/waf-front-door-geo-filtering.md).
 
-* Create [custom WAF rules](../afds/waf-front-door-custom-rules.md) to automatically block and rate limit HTTP or HTTPS attacks that have known signatures. Signature such as a specific user-agent, or a specific traffic pattern including headers, cookies, query string parameters or a combination of multiple signatures.
+* Create [custom WAF rules](../afds/waf-front-door-custom-rules.md) to automatically block and rate limit HTTP or HTTPS attacks that have known signatures. Signature such as a specific user-agent, or a specific traffic pattern including headers, cookies, query string parameters, or a combination of multiple signatures.
 
 Beyond WAF, Azure Front Door also offers default Azure Infrastructure DDoS protection to protect against L3/4 DDoS attacks. Enabling caching on Azure Front Door can help absorb sudden peak traffic volume at the edge and protect backend origins from attack as well. 
 
@@ -55,21 +55,21 @@ Application Gateway WAF SKUs can be used to mitigate many L7 DDoS attacks:
 
 * Block or redirect to a static web page any traffic from outside a defined geographic region, or within a defined region that doesn't fit the application traffic pattern. For more information, see examples at [Create and use v2 custom rules](../ag/create-custom-waf-rules.md).
 
-* Create [custom WAF rules](../ag/configure-waf-custom-rules.md) to automatically block and rate limit HTTP or HTTPS attacks that have known signatures. Signatures such as a specific user-agent, or a specific traffic pattern including headers, cookies, query string parameters or a combination of multiple signatures.
+* Create [custom WAF rules](../ag/configure-waf-custom-rules.md) to automatically block and rate limit HTTP or HTTPS attacks that have known signatures. Signatures such as a specific user-agent, or a specific traffic pattern including headers, cookies, query string parameters, or a combination of multiple signatures.
 
 ## Other considerations
 
-* Lock down access to public IPs on origin and restrict inbound traffic to only allow traffic from Azure Front Door or Application Gateway to origin. Refer to the [guidance on Azure Front Door](../../frontdoor/front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-). Application Gateways are deployed in a virtual network, ensure there isn't any publicly exposed IPs.
+* Lock down access to public IPs on origin and restrict inbound traffic to only allow traffic from Azure Front Door or Application Gateway to origin. Refer to the [guidance on Azure Front Door](../../frontdoor/front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-). Ensure there isn't any publicly exposed IP addresses in the Application Gateway's virtual network.
 
 * Switch WAF policy to the prevention mode. Deploying the policy in detection mode operates in the log only and doesn't block traffic. After verifying and testing your WAF policy with production traffic and fine tuning to reduce any false positives, you should turn policy to Prevention mode (block/defend mode). 
 
-* Monitor traffic using Azure WAF logs for any anomalies. You can create custom rules to block any offending traffic – suspected IPs sending unusually high number of requests, unusual user-agent string, anomalous query string patterns etc.
+* Monitor traffic using Azure WAF logs for any anomalies. You can create custom rules to block any offending traffic – suspected IPs sending unusually high number of requests, unusual user-agent string, anomalous query string patterns, etc.
 
 * You can bypass the WAF for known legitimate traffic by creating Match Custom Rules with the action of Allow to reduce false positive. These rules should be configured with a high priority (lower numeric value) than other block and rate limit rules.
 
-* At a minimum, you should have a rate limit rule that blocks high rate of requests from any single IP address. For example, you can configure a rate limit rule to not allow any single *Client IP address* to send more than XXX traffic per window to your site. Azure WAF supports two windows for tracking requests, 1 and 5 minutes. It's recommended to use the 5-minute window for better mitigation of HTTP Flood attacks. This rule should be the lowest priority rule (priority is ordered with 1 being the highest priority), so that more specific Rate Limit rules or Match rules can be created to match before this rule.  If you are using Application Gateway WAF v2, you can make use of additional rate limiting configurations to track and block clients by methods other than Client IP.  More information on Rate Limits on Application Gateway waf can be found at [Rate limiting overview](../ag/rate-limiting-overview.md).
+* At a minimum, you should have a rate limit rule that blocks high rate of requests from any single IP address. For example, you can configure a rate limit rule to not allow any single *Client IP address* to send more than XXX traffic per window to your site. Azure WAF supports two windows for tracking requests, 1 and 5 minutes. It's recommended to use the 5-minute window for better mitigation of HTTP Flood attacks. This rule should be the lowest priority rule (priority is ordered with 1 being the highest priority), so that more specific Rate Limit rules or Match rules can be created to match before this rule. If you're using Application Gateway WAF v2, you can use other rate limiting configurations to track and block clients by methods other than Client IP. More information on rate limits on Application Gateway WAF can be found at [Rate limiting overview](../ag/rate-limiting-overview.md).
 
-    The following Log Analytics query can be helpful in determining the threshold you should use for the above rule.  For a similar query but with Application Gateway, replace "FrontdoorAccessLog" with "ApplicationGatewayAccessLog".
+    The following Log Analytics query can be helpful in determining the threshold you should use for the previous rule. For a similar query but with Application Gateway, replace `FrontdoorAccessLog` with `ApplicationGatewayAccessLog`.
 
     ```
     AzureDiagnostics
@@ -102,11 +102,10 @@ AzureDiagnostics
 
 For more information, see [Azure WAF with Azure Application Gateway](../ag/web-application-firewall-logs.md).
 
-## Next steps
+## Related content
 
 * [Create a WAF policy](../afds/waf-front-door-create-portal.md) for Azure Front Door.
 * [Create an Application Gateway](../ag/application-gateway-web-application-firewall-portal.md) with a Web Application Firewall.
-
 * Learn how Azure Front Door can help [protect against DDoS attacks](../../frontdoor/front-door-ddos.md).
 * Protect your application gateway with [Azure DDoS Network Protection](../../application-gateway/tutorial-protect-application-gateway-ddos.md).
 * Learn more about the [Azure DDoS Protection](../../ddos-protection/ddos-protection-overview.md).