edit pass: azure-web-application-firewall-documentation

ShawnJackson · ShawnJackson · commit f6cee46b0fb7 · 2025-08-06T11:29:47.000-05:00
diff --git a/articles/web-application-firewall/ag/ag-overview.md b/articles/web-application-firewall/ag/ag-overview.md
@@ -81,23 +81,25 @@ You can configure a WAF policy and associate that policy with one or more applic
 - Custom rules that you create
 - Managed rule sets that are collections of Azure-managed preconfigured rules
 
-When both are present, the WAF processes custom rules before processing the rules in a managed rule set. A rule consists of a match condition, a priority, and an action. Supported action types are `ALLOW`, `BLOCK`, and `LOG`. You can create a fully customized policy that meets your specific requirements for application protection by combining managed and custom rules.
+When both are present, the WAF processes custom rules before processing the rules in a managed rule set.
+
+A rule consists of a match condition, a priority, and an action. Supported action types are `ALLOW`, `BLOCK`, and `LOG`. You can create a fully customized policy that meets your specific requirements for application protection by combining managed and custom rules.
 
 The WAF processes rules within a policy in a priority order. Priority is a unique integer that defines the order of rules to process. A smaller integer value denotes a higher priority, and the WAF evaluates those rules before rules that have a higher integer value. After the WAF matches a rule with a request, it applies the corresponding action that the rule defines to the request. After the WAF processes such a match, rules that have lower priorities aren't processed further.
 
 A web application that Application Gateway delivers can have a WAF policy associated with it at the global level, at a per-site level, or at a per-URI level.
 
-### Rule sets
-
-Application Gateway supports multiple rule sets, including CRS 3.2, CRS 3.1, and CRS 3.0. These rules help protect your web applications from malicious activity. For more information, see [Web application firewall DRS and CRS rule groups and rules](application-gateway-crs-rulegroups-rules.md).
-
 ### Custom rules
 
 Application Gateway supports the creation of your own custom rules. Application Gateway evaluates custom rules for each request that passes through the WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. If a request meets a set of conditions, the WAF takes an action to allow or block. For more information on custom rules, see [Custom rules for Application Gateway](custom-waf-rules-overview.md).
 
 The `Geomatch` operator is now available for custom rules. For more information, see [Geomatch custom rules](geomatch-custom-rules.md).
 
-### Bot Manager Rule Set
+### Rule sets
+
+Application Gateway supports multiple rule sets, including CRS 3.2, CRS 3.1, and CRS 3.0. These rules help protect your web applications from malicious activity. For more information, see [Web application firewall DRS and CRS rule groups and rules](application-gateway-crs-rulegroups-rules.md).
+
+#### Bot Manager Rule Set
 
 You can enable a managed Bot Manager Rule Set to take custom actions on requests from all bot categories.
 
diff --git a/articles/web-application-firewall/ag/application-gateway-waf-faq.yml b/articles/web-application-firewall/ag/application-gateway-waf-faq.yml
@@ -8,7 +8,7 @@ metadata:
   ms.topic: faq
   ms.date: 08/05/2025
 title: Frequently asked questions for Azure Web Application Firewall on Application Gateway
-summary: This article answers common questions about features and functionality for Azure Web Application Firewall on Application Gateway. 
+summary: This article answers common questions about features and functionality for Azure Web Application Firewall on Azure Application Gateway. 
 
 
 sections:
@@ -27,7 +27,7 @@ sections:
           The WAF tier of Application Gateway supports all the features available in the Standard tier.
 
       - question: |
-          How do I monitor the Application Gateway WAF?
+          How do I monitor the WAF?
         answer: |
           Monitor the WAF through diagnostic logging. For more information, see [Diagnostic logs for Application Gateway](../../application-gateway/application-gateway-diagnostics.md).
           
@@ -42,9 +42,9 @@ sections:
           Yes. For more information, see [Customize WAF rules](application-gateway-customize-waf-rules-portal.md).
           
       - question: |
-          What rules are currently available for the Application Gateway WAF?
+          What rules are currently available for the WAF?
         answer: |
-          The Application Gateway WAF currently supports Core Rule Set (CRS) [3.2](application-gateway-crs-rulegroups-rules.md#owasp32), [3.1](application-gateway-crs-rulegroups-rules.md#owasp31), and [3.0](application-gateway-crs-rulegroups-rules.md#owasp30). These rules provide baseline security against most of the top 10 vulnerabilities that Open Web Application Security Project (OWASP) identifies: 
+          The WAF currently supports Core Rule Set (CRS) [3.2](application-gateway-crs-rulegroups-rules.md#owasp32), [3.1](application-gateway-crs-rulegroups-rules.md#owasp31), and [3.0](application-gateway-crs-rulegroups-rules.md#owasp30). These rules provide baseline security against most of the top 10 vulnerabilities that Open Web Application Security Project (OWASP) identifies: 
           
           * Protection against SQL injection
           * Protection against cross-site scripting
@@ -59,7 +59,7 @@ sections:
           CRS 2.2.9 is no longer supported for new WAF policies. We recommend that you upgrade to the latest CRS version. You can't use CRS 2.2.9 along with CRS 3.2/DRS 2.1 and later versions. 
           
       - question: |
-          What content types does the Application Gateway WAF support?
+          What content types does the WAF support?
         answer: |
           The Application Gateway WAF supports the following content types for managed rules:
           
@@ -76,17 +76,17 @@ sections:
           * `multipart/form-data`
           
       - question: |
-          Does the Application Gateway WAF support DDoS protection?
+          Does the WAF support DDoS protection?
         answer: |
           Yes. You can enable distributed denial-of-service (DDoS) protection on the virtual network where the application gateway is deployed. This setting ensures that the Azure DDoS Protection service also helps protect the application gateway's virtual IP (VIP).
           
       - question: |
-          Does the Application Gateway WAF store customer data?
+          Does the WAF store customer data?
         answer: |
           No, the WAF doesn't store customer data.
 
       - question: |
-          How does the Application Gateway WAF work with WebSocket?
+          How does the WAF work with WebSocket?
         answer: |
           Azure Application Gateway natively supports WebSocket. WebSocket on the Application Gateway WAF doesn't require any extra configuration to work. However, the WAF doesn't inspect the WebSocket traffic. After the initial handshake between client and server, the data exchange between client and server can be of any format (for example, binary or encrypted). So the WAF can't always parse the data. It just acts as a pass-through proxy for the data.
 
diff --git a/articles/web-application-firewall/ag/waf-application-gateway-for-containers-overview.md b/articles/web-application-firewall/ag/waf-application-gateway-for-containers-overview.md
@@ -23,7 +23,7 @@ Azure Web Application Firewall provides real-time protection for these applicati
 
 ## Configuration
 
-To use Azure Web Application Firewall on your Application Gateway for Containers deployment, you need to attach your [WAF policy](create-waf-policy-ag.md) via a `SecurityPolicy` resource. This new Azure Resource Manager child resource is part of the Application Gateway for Containers integration. Your Application Load Balancer (ALB) Controller references it. It helps define the scope of how your WAF policy is applied to your application's traffic.
+To use Azure Web Application Firewall on your Application Gateway for Containers deployment, you need to attach your [WAF policy](create-waf-policy-ag.md) via a `SecurityPolicy` resource. This new Azure Resource Manager child resource is part of the Application Gateway for Containers integration. It's referenced by your Application Load Balancer (ALB) Controller and helps define the scope of how your WAF policy is applied to your application's traffic.
 
 Application Gateway for Containers also introduces a new resource called `WebApplicationFirewallPolicy`. This custom resource defines at which point the WAF policy is applied. You can configure it at the listener or route path level, via your Kubernetes resource's YAML file.
 
@@ -61,7 +61,7 @@ The following functionality isn't supported on a WAF policy that's associated wi
 Azure Web Application Firewall usage is billed separately from Application Gateway for Containers usage. When you enable Azure Web Application Firewall on your Application Gateway for Containers resource, two WAF-specific meters are added to your bill:
 
 - **1 AGC WAF Hour**: A fixed cost charged for the duration that a security policy references a WAF policy.
-- **1M WAF Requests**: A consumption-based meter that bills per 1 million requests processed by the WAF and charges for each enabled rule set. For example, if you enable both the Default Rule Set (DRS) and the Bot Manager Rule Set, you're billed for two rule sets.
+- **1M WAF Requests**: A consumption-based meter that bills per 1 million requests processed by the WAF and charges for each enabled rule set. For example, if you enable both the DRS and the Bot Manager Rule Set, you're billed for two rule sets.
 
 For more pricing information, see [Application Gateway pricing](https://azure.microsoft.com/pricing/details/application-gateway) and [Azure Web Application Firewall pricing](https://azure.microsoft.com/pricing/details/web-application-firewall).
 
diff --git a/articles/web-application-firewall/cdn/cdn-overview.md b/articles/web-application-firewall/cdn/cdn-overview.md
@@ -15,11 +15,13 @@ ms.date: 10/16/2023
 An Azure Web Application Firewall deployment on Azure Content Delivery Network provides centralized protection for your web content. Azure Web Application Firewall defends your web services against common exploits and vulnerabilities. It helps keep your service highly available for your users and helps you meet compliance requirements.
 
 > [!IMPORTANT]
-> The preview of Azure Web Application Firewall on Azure Content Delivery Network is no longer accepting new customers. We encourage customers to use [Azure Web Application Firewall on Azure Front Door](../afds/afds-overview.md) instead. We provide existing customers with a preview service-level agreement. Certain features might not be supported or might have constrained capabilities. For details, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> The preview of Azure Web Application Firewall on Azure Content Delivery Network is no longer accepting new customers. We encourage customers to use [Azure Web Application Firewall on Azure Front Door](../afds/afds-overview.md) instead.
+>
+> We provide existing customers with a preview service-level agreement. Certain features might not be supported or might have constrained capabilities. For details, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 Azure Web Application Firewall on Azure Content Delivery Network is a global and centralized solution. It's deployed on Azure network edge locations around the globe. Azure Web Application Firewall stops malicious attacks close to the attack sources, before they reach your origin. You get global protection at scale without sacrificing performance.
 
-A web application firewall (WAF) policy easily links to any content delivery network (CDN) endpoint in your subscription. You can deploy new rules within minutes, so you can respond quickly to changing threat patterns.
+A web application firewall (WAF) policy links to any content delivery network (CDN) endpoint in your subscription. You can deploy new rules within minutes, so you can respond quickly to changing threat patterns.
 
 ![Diagram that shows how Azure Web Application Firewall on Azure Content Delivery Network takes action on incoming requests.](../media/cdn-overview/waf-cdn-overview.png)
 
@@ -30,7 +32,9 @@ You can configure a WAF policy and associate that policy with one or more CDN en
 - **Custom rules**: Rules that you can create yourself.
 - **Managed rule sets**: Azure-managed preconfigured rules that you can enable.
 
-When both are present, the WAF processes custom rules before processing the rules in a managed rule set. A rule consists of a match condition, a priority, and an action. Supported action types are `ALLOW`, `BLOCK`, `LOG`, and `REDIRECT`. You can create a fully customized policy that meets your specific requirements for application protection by combining managed and custom rules.
+When both are present, the WAF processes custom rules before processing the rules in a managed rule set.
+
+A rule consists of a match condition, a priority, and an action. Supported action types are `ALLOW`, `BLOCK`, `LOG`, and `REDIRECT`. You can create a fully customized policy that meets your specific requirements for application protection by combining managed and custom rules.
 
 The WAF processes rules within a policy in a priority order. Priority is a unique integer that defines the order of rules to process. Smaller numbers are a higher priority, and the WAF evaluates those rules before rules that have a larger value. After the WAF matches a rule with a request, it applies the corresponding action that the rule defines to the request. After the WAF processes such a match, rules that have lower priorities aren't processed further.
 
@@ -78,7 +82,7 @@ Azure-managed rule sets provide a way to deploy protection against a common set
 
 The version number of the Default Rule Set increments when new attack signatures are added to the rule set.
 
-The Default Rule Set is enabled by default in *detection* mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions (`ALLOW`, `BLOCK`, `REDIRECT`, and `LOG`) per rule. The default action for the managed Default Rule Set is `BLOCK`.
+The Default Rule Set is enabled by default in *detection* mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions (`ALLOW`, `BLOCK`, `LOG`, and `REDIRECT`) per rule. The default action for the managed Default Rule Set is `BLOCK`.
 
 Custom rules are always applied before the WAF evaluates the rules in the Default Rule Set. If a request matches a custom rule, the WAF applies the corresponding rule action. The request is either blocked or passed through to the back end. No other custom rules or rules in the Default Rule Set are processed. You can also remove the Default Rule Set from your WAF policies.
 
@@ -93,10 +97,10 @@ You can configure a WAF policy to run in the following two modes:
 
 You can choose one of the following actions when a request matches a rule's conditions:
 
-- **Allow**: The request passes through the WAF and is forwarded to the back end. No further lower-priority rules can block this request.
-- **Block**: The request is blocked. The WAF sends a response to the client without forwarding the request to the back end.
-- **Log**: The request is logged in the WAF logs. The WAF continues to evaluate lower-priority rules.
-- **Redirect**: The WAF redirects the request to the specified URI. The specified URI is a policy-level setting. After you configure the setting, all requests that match the **Redirect** action are sent to that URI.
+- `ALLOW`: The request passes through the WAF and is forwarded to the back end. No further lower-priority rules can block this request.
+- `BLOCK`: The request is blocked. The WAF sends a response to the client without forwarding the request to the back end.
+- `LOG`: The request is logged in the WAF logs. The WAF continues to evaluate lower-priority rules.
+- `REDIRECT`: The WAF redirects the request to the specified URI. The specified URI is a policy-level setting. After you configure the setting, all requests that match the `REDIRECT` action are sent to that URI.
 
 ## Configuration
 
diff --git a/articles/web-application-firewall/overview.md b/articles/web-application-firewall/overview.md
@@ -34,12 +34,12 @@ Azure Web Application Firewall can be deployed with these Microsoft services:
 - Azure Front Door
 - Azure Content Delivery Network
 
-Azure Web Application Firewall on Azure Content Delivery Network and Application Gateway for Containers are currently in public preview. Azure Web Application Firewall has features that are customized for each specific service.
+Azure Web Application Firewall on Azure Content Delivery Network and Azure Web Application Firewall on Application Gateway for Containers are currently in preview. Azure Web Application Firewall has features that are customized for each specific service.
 
 ## Related content
 
-- For more information about Azure Web Application Firewall on Application Gateway, see [What is Azure Web Application Firewall on Azure Application Gateway?](./ag/ag-overview.md).
-- For more information about Web Application Firewall on Azure Front Door, see [Azure Web Application Firewall on Azure Front Door](./afds/afds-overview.md).
-- For more information about Web Application Firewall on Content Delivery Network, see [Azure Web Application Firewall on Azure Content Delivery Network from Microsoft](./cdn/cdn-overview.md).
-- To learn more about Azure Web Application Firewall, see the training module [Introduction to Azure Web Application Firewall](/training/modules/introduction-azure-web-application-firewall/).
-- To learn more about Azure network security, see the [Azure network security documentation](../networking/security/index.yml).
+- [What is Azure Web Application Firewall on Azure Application Gateway?](./ag/ag-overview.md)
+- [Azure Web Application Firewall on Azure Front Door](./afds/afds-overview.md)
+- [Azure Web Application Firewall on Azure Content Delivery Network](./cdn/cdn-overview.md)
+- [Introduction to Azure Web Application Firewall](/training/modules/introduction-azure-web-application-firewall/) (training module)
+- [Azure network security documentation](../networking/security/index.yml)
