| title | Azure Web Application Firewall on Application Gateway for Containers |
|---|---|
| description | This article provides an overview of Azure Web Application Firewall on Application Gateway for Containers, including setup, limitations, and pricing. |
| services | application-gateway |
| author | jackstromberg |
| ms.service | azure-appgw-for-containers |
| ms.topic | concept-article |
| ms.date | 11/10/2025 |
| ms.author | jstrom |
Azure Web Application Firewall provides centralized protection of your web applications from common exploits and vulnerabilities. All Azure Web Application Firewall functionality exists inside a policy, which can be referenced at listener or path-based routing rules within the Gateway API YAML configuration.
Application Gateway for Containers introduces a new child resource called SecurityPolicy in Azure Resource Manager. The SecurityPolicy resource brings scope to which Azure Web Application Firewall policies the ALB Controller can reference.
Application Gateway for Containers introduces a new custom resource called WebApplicationFirewallPolicy. The custom resource is responsible for defining which Azure Web Application Firewall policy should be used at which scope.
The WebApplicationFirewallPolicy resource can target the following Kubernetes resources:
GatewayHTTPRoute
The WebApplicationFirewallPolicy resource can also reference the following sections by name for further granularity:
Gateway:Listener
Here's an example YAML configuration that shows targeting a Gateway resource, which would apply to all listeners on a given Application Gateway for Containers' frontend resource.
apiVersion: alb.networking.azure.io/v1
kind: WebApplicationFirewallPolicy
metadata:
name: sample-waf-policy
namespace: test-infra
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: contoso-waf-route
namespace: test-infra
webApplicationFirewall:
id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-0Within a Gateway resource, you may have different hostnames defined by different listeners (e.g. contoso.com and fabrikam.com). If contoso.com is a hostname of listenerA and fabrikam.com is a hostname of listenerB, you can define the sectionNames property to select the proper listener (for example, listenerA for contoso.com).
apiVersion: alb.networking.azure.io/v1
kind: WebApplicationFirewallPolicy
metadata:
name: sample-waf-policy
namespace: test-infra
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: contoso-waf-route
namespace: test-infra
sectionNames: ["contoso-listener"]
webApplicationFirewall:
id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-0This example shows how to target a defined HTTPRoute resource to apply the policy to any routing rules and paths within a given HTTPRoute resource.
apiVersion: alb.networking.azure.io/v1
kind: WebApplicationFirewallPolicy
metadata:
name: sample-waf-policy
namespace: test-infra
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: contoso-pathA
namespace: test-infra
webApplicationFirewall:
id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-0To use different WAF policies to different paths of the same Gateway or Gateway -> Listener sectionName, you can define two HTTPRoute resources, each with a unique path, that each references its applicable WAF policy.
apiVersion: alb.networking.azure.io/v1
kind: WebApplicationFirewallPolicy
metadata:
name: sample-waf-policy-A
namespace: test-infra
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: contoso-pathA
namespace: test-infra
webApplicationFirewall:
id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-0
---
apiVersion: alb.networking.azure.io/v1
kind: WebApplicationFirewallPolicy
metadata:
name: sample-waf-policy-B
namespace: test-infra
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: contoso-pathB
namespace: test-infra
webApplicationFirewall:
id: /subscriptions/.../Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy-1The following functionality is not supported on an Azure Web Application Firewall policy that's associated with Application Gateway for Containers:
- Cross-region, cross-subscription policy: Your WAF policy must be in the same subscription and region as your Application Gateway for Containers resource.
- Core Rule Set (CRS) managed rules: An Application Gateway for Containers WAF supports only Default Rule Set (DRS) 2.1 managed rule set.
- Legacy Bot Manager Rule Set: Bot Manager Ruleset 0.1 isn't supported, but Bot Manager Ruleset versions 1.0 and 1.1 are supported.
- JavaScript challenge actions on Bot Manager rules: You can't set the action on a Bot Manager rule to JavaScript challenge.
- Captcha challenge actions on Bot Manager rules: You can't set the action on a Bot Manager rule to Captcha.
- Microsoft Security Copilot: The Security Copilot is not supported on Application Gateway for Containers WAF.
- Custom Block Response: Setting a custom block response in your WAF policy is not supported on Application Gateway for Containers WAF.
- X-Forwarded-For Header (XFF): Application Gateway for Containers WAF doesn't support the XFF variable in custom rules.
- HTTP DDoS Ruleset: This managed ruleset isn't currenlty supported on Application Gateway for Containers.
For pricing details, see Understanding pricing for Application Gateway for Containers.