Merge pull request #303599 from ShawnJackson/web-application-firewall-on-application-gateway-for-containers

ktoliver · web-flow · commit d4deb7591b2f · 2025-07-31T12:44:50.000-07:00
[AQ] edit pass: Articles about Web Application Firewall on Application Gateway for Containers
diff --git a/articles/application-gateway/for-containers/how-to-waf-gateway-api.md b/articles/application-gateway/for-containers/how-to-waf-gateway-api.md
@@ -1,6 +1,6 @@
 ---
-title: Web Application Firewall on Application Gateway for Containers - Gateway API
-description: This document provides an example scenario for testing the Web Application Firewall (WAF) on Application Gateway for Containers.
+title: Azure Web Application Firewall on Application Gateway for Containers - Gateway API
+description: This article provides an example scenario for testing Azure Web Application Firewall on Application Gateway for Containers.
 services: application-gateway
 author: jackstromberg
 ms.service: azure-appgw-for-containers
@@ -9,42 +9,46 @@ ms.date: 7/21/2025
 ms.author: jstrom
 ---
 
-# Web Application Firewall on Application Gateway for Containers with Gateway API
+# Azure Web Application Firewall on Application Gateway for Containers with the Gateway API
 
-This document helps set up an example application that uses the following resources from Gateway API. Steps are provided to:
+This article helps you set up an example application that uses resources from the Gateway API. The article provides steps to:
 
-- Create a [Gateway](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) resource with one HTTPS listener.
-- Create an [HTTPRoute](https://gateway-api.sigs.k8s.io/api-types/httproute) that references a backend service.
-- Create a `WebApplicationFirewallPolicy` resource that references an HTTPRoute.
+- Create a [`Gateway`](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) resource with one HTTPS listener.
+- Create an [`HTTPRoute`](https://gateway-api.sigs.k8s.io/api-types/httproute) resource that references a back-end service.
+- Create a `WebApplicationFirewallPolicy` resource that references an `HTTPRoute` resource.
 
 ## Background
 
-Application Gateway for Containers leverages web application firewall to block a malicious request from being proxied to the backend target. See the following example scenario:
+Application Gateway for Containers uses Azure Web Application Firewall to block a malicious request from being proxied to the back-end target. The following diagram shows an example scenario.
 
-![A figure showing a malicious request being blocked by Application Gateway for Containers with Web Application Firewall enabled in prevention mode.](./media/how-to-web-application-firewall-gateway-api/web-application-firewall.png)
+![Diagram that shows a malicious request being blocked by Application Gateway for Containers with Azure Web Application Firewall enabled in prevention mode.](./media/how-to-web-application-firewall-gateway-api/web-application-firewall.png)
 
 ## Prerequisites
 
-1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)
-2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the  [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).
-3. Deploy sample HTTP application
-   Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate the header rewrite.
+- If you're following the bring-your-own (BYO) deployment strategy, ensure that you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md).
 
-   ```bash
-   kubectl apply -f https://raw.githubusercontent.com/MicrosoftDocs/azure-docs/refs/heads/main/articles/application-gateway/for-containers/examples/traffic-split-scenario/deployment.yaml
-   ```
+- If you're following the Application Load Balancer (ALB) managed deployment strategy, ensure that you:
+
+  - Provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md).
+  - Provisioned the Application Gateway for Containers resources via the [`ApplicationLoadBalancer` custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).
+
+- Apply the following `deployment.yaml` file on your cluster to create a sample web application that demonstrates the header rewrite:
+
+  ```bash
+  kubectl apply -f https://raw.githubusercontent.com/MicrosoftDocs/azure-docs/refs/heads/main/articles/application-gateway/for-containers/examples/traffic-split-scenario/deployment.yaml
+  ```
   
-   This command creates the following on your cluster:
+  This command creates the following items on your cluster:
 
-   - a namespace called `test-infra`
-   - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace
-   - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace
+  - A namespace called `test-infra`
+  - Two services called `backend-v1` and `backend-v2` in the `test-infra` namespace
+  - Two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace
 
 ## Deploy the required Gateway API resources
 
 # [ALB managed deployment](#tab/alb-managed)
 
-Create a gateway:
+Create a `Gateway` resource:
 
 ```bash
 kubectl apply -f - <<EOF
@@ -70,53 +74,53 @@ EOF
 
 [!INCLUDE [application-gateway-for-containers-frontend-naming](../../../includes/application-gateway-for-containers-frontend-naming.md)]
 
-# [Bring your own (BYO) deployment](#tab/byo)
+# [BYO deployment](#tab/byo)
 
-1. Set the following environment variables
+1. Set the following environment variables:
 
-```bash
-RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'
-RESOURCE_NAME='alb-test'
-
-RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)
-FRONTEND_NAME='frontend'
-```
+    ```bash
+    RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'
+    RESOURCE_NAME='alb-test'
+    
+    RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)
+    FRONTEND_NAME='frontend'
+    ```
 
-2. Create a Gateway
+2. Create a `Gateway` resource:
 
-```bash
-kubectl apply -f - <<EOF
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: gateway-01
-  namespace: test-infra
-  annotations:
-    alb.networking.azure.io/alb-id: $RESOURCE_ID
-spec:
-  gatewayClassName: azure-alb-external
-  listeners:
-  - name: http-listener
-    port: 80
-    protocol: HTTP
-    allowedRoutes:
-      namespaces:
-        from: Same
-  addresses:
-  - type: alb.networking.azure.io/alb-frontend
-    value: $FRONTEND_NAME
-EOF
-```
+    ```bash
+    kubectl apply -f - <<EOF
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      name: gateway-01
+      namespace: test-infra
+      annotations:
+        alb.networking.azure.io/alb-id: $RESOURCE_ID
+    spec:
+      gatewayClassName: azure-alb-external
+      listeners:
+      - name: http-listener
+        port: 80
+        protocol: HTTP
+        allowedRoutes:
+          namespaces:
+            from: Same
+      addresses:
+      - type: alb.networking.azure.io/alb-frontend
+        value: $FRONTEND_NAME
+    EOF
+    ```
 
 ---
 
-Once the gateway resource is created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.
+After you create the `Gateway` resource, ensure that the status is valid, the listener has a status of `Programmed`, and an address is assigned to it:
 
 ```bash
 kubectl get gateway gateway-01 -n test-infra -o yaml
 ```
 
-Example output of successful gateway creation.
+Here's example output for successful creation of a `Gateway` resource:
 
 ```yaml
 status:
@@ -163,7 +167,7 @@ status:
       kind: HTTPRoute
 ```
 
-Once the gateway is created, create an HTTPRoute that listens for hostname contoso.com.
+Create an `HTTPRoute` resource that listens for the host name `contoso.com`:
 
 ```bash
 kubectl apply -f - <<EOF
@@ -185,13 +189,13 @@ spec:
 EOF
 ```
 
-Once the HTTPRoute resource is created, ensure the route is _Accepted_ and the Application Gateway for Containers resource is _Programmed_.
+After you create the `HTTPRoute` resource, ensure that the status of the route is `Accepted` and the status of the Application Gateway for Containers resource is `Programmed`:
 
 ```bash
 kubectl get httproute header-rewrite-route -n test-infra -o yaml
 ```
 
-Verify the status of the Application Gateway for Containers resource has been successfully updated.
+Verify that the status of the Application Gateway for Containers resource was successfully updated:
 
 ```yaml
 status:
@@ -225,7 +229,7 @@ status:
 
 ### Configure WebApplicationFirewallPolicy
 
-Application Gateway for Containers uses a custom resource called `WebApplicationFirewallPolicy` to define WAF protection. In this example, WAF will protect a specific HTTPRoute.
+Application Gateway for Containers uses a custom resource called `WebApplicationFirewallPolicy` to define Azure Web Application Firewall protection. In this example, Azure Web Application Firewall helps protect a specific `HTTPRoute` resource:
 
 ```bash
 kubectl apply -f - <<EOF
@@ -240,12 +244,13 @@ spec:
     kind: HTTPRoute
     name: contoso-waf-route
     namespace: test-infra
-    #sectionNames: ["listenerA"] # defined if targeting a specific listener on a gateway resource or path
+    #sectionNames: ["listenerA"] # defined if you're targeting a specific listener on a gateway resource or path
   webApplicationFirewall:
     id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-0
 EOF
 ```
 
+```bash
 kubectl apply -f - <<EOF
 apiVersion: alb.networking.azure.io/v1
 kind: WebApplicationFirewallPolicy
@@ -258,27 +263,28 @@ spec:
     kind: HTTPRoute
     name: contoso-waf-route
     namespace: test-infra
-    #sectionNames: ["listenerA"] # defined if targeting a specific listener on a gateway resource or path
+    #sectionNames: ["listenerA"] # defined if you're targeting a specific listener on a gateway resource or path
   webApplicationFirewall:
     id: /subscriptions/711d99a7-fd79-4ce7-9831-ea1afa18442e/resourceGroups/AGC-RG/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/agc-waf
 EOF
+```
 
 ## Test access to the application
 
-Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN:
+Now you're ready to send some traffic to the sample application, via the fully qualified domain name (FQDN) assigned to the frontend resource. Use the following command to get the FQDN:
 
 ```bash
 fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addresses[0].value}')
 ```
 
-If you specify the server name indicator using the curl command, `contoso.com` for the frontend FQDN, the output should return a response from the backend-v1 service.
+If you specify the server name indicator by using the `curl` command, with `contoso.com` for the frontend resource's FQDN, the output should return a response from the `backend-v1` service:
 
 ```bash
 fqdnIp=$(dig +short $fqdn)
 curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com
 ```
 
-Via the response we should see:
+Via the response, you should see:
 
 ```json
 {
@@ -310,18 +316,18 @@ Via the response we should see:
 }
 ```
 
-Now, send a request with a malicious query string to trigger a `403 forbidden` response from your Application Gateway for Containers.
+Now, send a request with a malicious query string to trigger a `403 forbidden` response from Application Gateway for Containers.
 
-**Example 1:**
+Here's one example request:
 
 ```bash
 curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com/?text=/etc/passwd
 ```
 
-**Example 2:**
+Here's another example request:
 
 ```bash
 curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com/?1=1=1
 ```
 
-Congratulations, you have installed ALB Controller, deployed a backend application and used Web Application Firewall functionality to block a malicious request.
+Congratulations! You installed an ALB Controller, deployed a back-end application, and used Azure Web Application Firewall functionality to block a malicious request.
diff --git a/articles/application-gateway/for-containers/web-application-firewall.md b/articles/application-gateway/for-containers/web-application-firewall.md
@@ -1,41 +1,41 @@
 ---
-title: Web Application Firewall on Application Gateway for Containers
-description: This page provides an overview of the Web Application Firewall (WAF) on Application Gateway for Containers, including setup, limitations, known issues, and more.
+title: Azure Web Application Firewall on Application Gateway for Containers
+description: This article provides an overview of Azure Web Application Firewall on Application Gateway for Containers, including setup, limitations, and pricing.
 services: application-gateway
 author: jackstromberg
 ms.service: azure-appgw-for-containers
-ms.topic: how-to
+ms.topic: concept-article
 ms.date: 7/22/2025
 ms.author: jstrom
 ---
 
-# Web Application Firewall on Application Gateway for Containers
+# Azure Web Application Firewall on Application Gateway for Containers
 
-Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. All WAF functionality exists inside of a WAF policy, which can be referenced at listener or path-based routing rules within Gateway API yaml configuration.
+Azure Web Application Firewall provides centralized protection of your web applications from common exploits and vulnerabilities. All Azure Web Application Firewall functionality exists inside a policy, which can be referenced at listener or path-based routing rules within the Gateway API YAML configuration.
 
-![Diagram depicting a request being blocked by a web application firewall rule.](./media/how-to-web-application-firewall-gateway-api/web-application-firewall.png)
+![Diagram that shows an Azure Web Application Firewall rule blocking a request.](./media/how-to-web-application-firewall-gateway-api/web-application-firewall.png)
 
 ## Application Gateway for Containers implementation
 
-### Security Policy
+### Security policy
 
-Application Gateway for Containers introduces a new child resource in Azure Resource Manager (ARM), called a SecurityPolicy. The SecurityPolicy is what brings scope to which WAF policies may be referenced by the ALB Controller.
+Application Gateway for Containers introduces a new child resource called `SecurityPolicy` in Azure Resource Manager. The `SecurityPolicy` resource brings scope to which Azure Web Application Firewall policies the ALB Controller can reference.
 
-### Kubernetes Custom Resource
+### Kubernetes custom resource
 
-Application Gateway for Containers introduces a new custom resource called `WebApplicationFirewallPolicy`. The custom resource is responsible for defining which WAF Policy should be used at which scope.
+Application Gateway for Containers introduces a new custom resource called `WebApplicationFirewallPolicy`. The custom resource is responsible for defining which Azure Web Application Firewall policy should be used at which scope.
 
-The following scopes may be defined:
+The resource can define the following scopes:
 
-* Gateway
-* HTTPRoute
+* `Gateway`
+* `HTTPRoute`
 
-In addition, the following sections may be referenced by name for each of the parent resources:
+In addition, the resource can reference the following sections by name for each of the parent resources:
 
-* Gateway - Listener
-* HTTPRoute - Path
+* `Gateway`: `Listener`
+* `HTTPRoute`: `Path`
 
-Here is an example YAML configuration that shows targeting a specific path called `pathA` on an HTTPRoute resource:
+Here's an example YAML configuration that shows targeting a specific path called `pathA` on an `HTTPRoute` resource:
 
 ```yaml
 apiVersion: alb.networking.azure.io/v1
@@ -56,23 +56,22 @@ spec:
 
 ## Limitations
 
-The following functionality is not supported on a WAF Policy associated with Application Gateway for Containers:
+The following functionality is not supported on an Azure Web Application Firewall policy that's associated with Application Gateway for Containers:
 
-* WAF Security Copilot
-* JavaScript (JS) Challenge Actions
-* CRS 3.2 and lower ruleset
+* Azure Web Application Firewall integration in Microsoft Security Copilot
+* JavaScript challenge actions
+* Core Rule Set (CRS) 3.2 and earlier rule sets
 
 ## Pricing
 
-WAF is incrementally billed in addition to Application Gateway for Containers. Two meters track WAF consumption: 
+Azure Web Application Firewall is incrementally billed in addition to Application Gateway for Containers. Two metrics track Azure Web Application Firewall consumption:
 
-* AGC WAF Hour
-* AGC 1M WAF Requests
+* `AGC WAF Hour`
+* `AGC 1M WAF Requests`
 
-An AGC WAF Hour is incurred for the duration a security policy has a WAF policy referenced.
+An `AGC WAF Hour` rate is incurred for the duration that a security policy references an Azure Web Application Firewall policy.
 
-As each request is processed by WAF rules or Bot Protection, a consumption rate is billed per 1 million requests.
+As Azure Web Application Firewall rules or bot protection processes each request, a consumption rate is billed per 1 million requests.
 
 > [!NOTE]
-> Application Gateway for Containers + WAF is in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The association of Application Gateway for Containers with Azure Web Application Firewall is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
diff --git a/includes/application-gateway-for-containers-frontend-naming.md b/includes/application-gateway-for-containers-frontend-naming.md
@@ -5,7 +5,7 @@ ms.topic: include
 ms.date: 08/14/2023
 ms:author: mbender
 ---
-> [!Note]
-> When the ALB Controller creates the Application Gateway for Containers resources in ARM, it'll use the following naming convention for a frontend resource: fe-\<8 randomly generated characters\>
+> [!NOTE]
+> When the ALB Controller creates the Application Gateway for Containers resources in Azure Resource Manager, it uses the following naming convention for a frontend resource: `fe-<eight randomly generated characters>`.
 >
-> If you would like to change the name of the frontend created in Azure, consider following the [bring your own deployment strategy](../articles/application-gateway/for-containers/overview.md#deployment-strategies).
+> If you want to change the name of the frontend resource created in Azure, consider following the [bring-your-own deployment strategy](../articles/application-gateway/for-containers/overview.md#deployment-strategies).
