The Azure Application Gateway

Azure have released an application gateway with some WAF functionality which “protects web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacks”. I deployed Barracuda WAF’s in our Azure architecture several years ago but subsequently got rid of them – they are expensive solution if you don’t have a lot of applications behind them. We were paying somewhere in the region of £10,000 per year per device. The costs add up when you need 2 for a high availability set and then another set in a different geo-region. £40,000 to protect a handful of websites. The application gateway is attractive from a cost perspective, although the WAF pricing itself hasn’t been confirmed as it’s still in preview.

the pricing is very attractive, although the WAF functionality is to 'TBC'

The pricing is very attractive, although the WAF functionality is to ‘TBC’


I’m keen to evaluate this service and would like to find out:

  • How much watering and feeding will they require? WAF’s like most security devices have an administrative overhead.
  • How granular are the WAF rules – can the rules be tweaked? Will entering Irish names trigger SQL injection rules which can’t be altered?
  • Would we be better off using Cloudflare in front of our websites?
  • Does it play nice with authentication? (namely ADFS / Azure AD Authentication)
  • What is it’s logging capability like, can we export it to syslog server?

I’ll do another post when I have had a good look around the product. It’s feature set overlaps rather confusingly with the ‘Azure AD Proxy’ apart from the WAF features – I’m not sure if there is a use case for both of the products still.