Technical Lab: Map requirements to features and capabilities of WAF
Questionsβ
Question 1 β Multiple Choiceβ
A security team needs to protect a web application hosted on Azure against SQL injection and cross-site scripting (XSS) attacks. The solution must inspect HTTP/HTTPS traffic and block malicious requests before they reach the backend. Which Azure resource directly meets this requirement?
A) Azure Firewall Premium with IDPS rules enabled
B) Web Application Firewall (WAF) on Azure Application Gateway
C) Network Security Group (NSG) with deny rules at layer 4
D) Azure DDoS Protection Standard applied to the VNet
Question 2 β Technical Scenarioβ
An architect is reviewing the WAF configuration on an Azure Application Gateway. The development team reports that some legitimate requests are being blocked, causing application failures. Upon investigation, the architect finds the following current state:
WAF Mode: Prevention
OWASP Rule Set: 3.2
Custom Rules: none
Exclusions: none
The architect needs to diagnose which rules are causing false positives without impacting the production environment's protection. What is the correct approach?
A) Temporarily disable the WAF on the Application Gateway to confirm that the problem is caused by it
B) Change the WAF mode from Prevention to Detection to log blocked requests without interrupting them
C) Remove the OWASP 3.2 ruleset and replace it with CRS 2.x, which is less restrictive
D) Create a Custom Rule with priority 1 to allow all traffic originating from the application IP
Question 3 β True or Falseβ
WAF on Azure Front Door and WAF on Azure Application Gateway share the same WAF policies and can be managed by a single policy object in the Azure portal, as long as both are in the same subscription.
Question 4 β Technical Scenarioβ
An organization uses Azure Front Door with WAF enabled to distribute traffic globally. During an incident, the team identifies that a specific IP address is performing aggressive scraping on the application. WAF is in Prevention mode, and managed OWASP rules are active. The scraping behavior is not detected by the default ruleset rules.
What is the most appropriate action to immediately block this IP without changing the managed rules?
A) Change the WAF mode to Detection and wait for the ruleset to learn the attack pattern
B) Create a Custom Rule with IP match condition and Block action
C) Add the IP to the WAF exclusion list to force a reevaluation of the rules
D) Remove the Front Door profile and recreate with a different ruleset
Question 5 β Multiple Choiceβ
A company needs to protect REST APIs exposed via Azure API Management (APIM) against layer 7 attacks. The team evaluates two options: placing an Azure Application Gateway with WAF in front of APIM, or using Azure Front Door with WAF. Which statement correctly represents a relevant difference between these two options in the context of API protection with WAF?
A) Application Gateway with WAF operates regionally, while Front Door with WAF offers distributed protection at Microsoft's global points of presence
B) Front Door with WAF does not support OWASP-managed rulesets, requiring all rules to be created manually
C) Application Gateway with WAF can only be deployed in Detection mode, making it unsuitable for production environments
D) Front Door with WAF does not allow Custom Rules, unlike Application Gateway which offers full support for them
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
WAF on Azure Application Gateway is specifically designed to inspect HTTP/HTTPS traffic at layer 7 and block attacks like SQL Injection and XSS based on managed rulesets (OWASP CRS). It is the native Azure resource created exactly for this scenario.
The main conceptual error in the distractors is the confusion between protection layers. Azure Firewall Premium with IDPS protects network traffic more broadly but is not optimized for inspecting web application payloads. NSGs operate at layer 4 (TCP/UDP) and do not inspect HTTP content. Azure DDoS Protection Standard mitigates volumetric attacks, not application attacks. Choosing any of these instead of WAF would result in lack of effective protection against SQL Injection and XSS.
Answer Key β Question 2β
Answer: B
Detection mode of WAF logs all requests that would be blocked in diagnostic logs without actually blocking them. This allows the team to analyze Azure Monitor or Log Analytics logs to identify which OWASP rules are generating false positives, enabling the creation of surgical exclusions before returning to Prevention mode.
Completely disabling WAF (option A) exposes the environment to real attacks during diagnosis. Replacing OWASP 3.2 ruleset with an earlier version (option C) reduces security coverage and doesn't solve the root cause. Creating a Custom Rule to allow all traffic from an IP (option D) is an overly broad measure that can mask legitimate attacks originating from that IP.
Answer Key β Question 3β
Answer: False
WAF policies for Azure Front Door and for Azure Application Gateway are distinct and incompatible objects. A policy created for Application Gateway cannot be associated with Front Door, and vice versa. Each resource requires its own WAF policy with the correct type defined at creation time (Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies vs. Microsoft.Network/FrontDoorWebApplicationFirewallPolicies). The confusion between these two objects is a common misconception when designing hybrid application security architectures in Azure.
Answer Key β Question 4β
Answer: B
Custom Rules in WAF allow defining specific conditions, such as source IP address matching, with Block action. This is the correct mechanism to block an individual IP without modifying managed rulesets, preserving the integrity of OWASP rules.
Switching to Detection mode (option A) would remove active blocking capability, exposing the application during the analysis period. Adding the IP to the exclusion list (option C) would have the opposite effect: excluding means exempting from evaluation, not blocking. Recreating the Front Door profile (option D) would cause unavailability with no technical benefit for the described scenario.
Answer Key β Question 5β
Answer: A
Azure Application Gateway with WAF is a regional resource, deployed in a single Azure region. Azure Front Door with WAF operates on Microsoft's globally distributed points of presence (PoPs), applying WAF policies closer to the end user, which reduces latency and distributes inspection load.
The other distractors represent direct factual misconceptions. Front Door with WAF fully supports OWASP-managed rulesets (option B is false). Application Gateway with WAF supports Prevention mode in production (option C is false). Front Door with WAF supports Custom Rules in the same way as Application Gateway (option D is false). The regional versus global difference is the most relevant decision criteria when choosing between the two for protecting APIs with geographic distribution.