fix for recent updates

Author: ceperezb

learn-pr/wwl-sci/design-solutions-secure-applications/includes/10-summary.md

@@ -6,7 +6,8 @@ You've learned how to:
 -   Design and implement standards and practices for securing the application development process
 -   Design a solution for workload identity to authenticate and access Azure cloud resources
 -   Design a solution for API management and security
--   Design a solution for secure access to applications
+-   Design solutions that secure applications by using Azure Web Application Firewall (WAF)
+-   Map technologies to application security requirements
 
 ## Learn more
 

learn-pr/wwl-sci/design-solutions-secure-applications/includes/8-design-solution-secure-access-applications.md

@@ -12,8 +12,10 @@ Azure WAF can be deployed with the following services:
 
 - **Azure Application Gateway:** a layer 7 load balancer for regional traffic.
 - **Azure Front Door:** a global content delivery and application acceleration service.
-- **Azure Application Gateway for Containers:** an application gateway that manages traffic to containerized workloads.
-- **Azure Content Delivery Network (CDN):** Content Delivery Network from Azure.
+- **Azure Application Gateway for Containers:** an application gateway that manages traffic to containerized workloads. WAF support for Application Gateway for Containers uses the DRS 2.1 managed rule set only and has some feature limitations compared to Application Gateway WAF.
+
+> [!NOTE]
+> WAF on Azure Content Delivery Network (CDN) is no longer accepting new customers. Use WAF on Azure Front Door for new deployments requiring global edge protection.
 
 Each deployment option shares the same core WAF engine but offers service-specific capabilities that influence your architectural decisions.
 
@@ -40,15 +42,17 @@ Azure Front Door is a global service that accelerates application delivery and p
 Key considerations for Front Door WAF vs. Application Gateway WAF:
 
 - **Global vs. regional.** Front Door WAF operates at the edge, providing protection close to the source of traffic. Application Gateway WAF operates regionally, in the Azure region where your application runs. For globally distributed applications, Front Door WAF provides lower-latency protection. For regional applications, Application Gateway WAF provides greater integration with virtual network architectures.
-- **DDoS protection.** Azure Front Door includes built-in DDoS layer 3 and 4 protection. Combined with WAF's layer 7 protection, this provides defense-in-depth against volumetric and application-layer attacks.
+- **DDoS protection.** Azure Front Door includes built-in platform-level DDoS protection at network layers 3 and 4. Combined with WAF's layer 7 protection, this provides defense-in-depth against volumetric and application-layer attacks. For origin servers with public IPs, also enable Azure DDoS Protection to guard against attacks that bypass the edge.
 - **Rate limiting.** Front Door WAF supports rate limiting rules that restrict the number of requests from a single source within a time window. This protects against brute force attacks and API abuse.
 - **Geo-filtering.** Block or allow traffic from specific countries/regions. This reduces attack surface for applications that only serve specific geographic markets.
 
-Front Door WAF policies combine custom rules and Azure-managed rule sets, processed in this order:
+> [!IMPORTANT]
+> Managed rule sets are supported only on Azure Front Door Premium and Azure Front Door (classic). Front Door Standard supports custom rules only.
+
+Front Door WAF policies combine custom rules and managed rule sets, processed in this order:
 
-1. **Custom rules:** organization-specific allow or block logic, such as geo-filtering or IP restrictions. Custom rules act immediately on match.
-2. **Managed rule sets:** Azure-managed protection against common vulnerabilities, using the Default Rule Set (DRS). For managed rules, you choose between **anomaly scoring** (rule matches accumulate a score, and the request is blocked only when the total exceeds a threshold) or **per-rule blocking** (each rule match triggers immediate action). Anomaly scoring reduces false positives for complex applications where legitimate requests may trigger a single rule but not multiple rules. Per-rule blocking provides stricter enforcement but requires more tuning. Choose based on your organization's tolerance for false positives versus the sensitivity of the application.
-3. **Default rules:** catch-all rules for traffic not matching other rules.
+1. **Custom rules:** organization-specific allow or block logic, such as geo-filtering or IP restrictions. Custom rules act immediately on match — if a request matches a custom rule, no further rules are evaluated.
+2. **Managed rule sets:** Azure-managed protection against common vulnerabilities, using the Default Rule Set (DRS). DRS versions 2.0 and later use **anomaly scoring**, where rule matches accumulate a severity-based score and the request is blocked only when the total exceeds a threshold. This reduces false positives for complex applications where a legitimate request might trigger a single low-severity rule. Earlier DRS versions (before 2.0) use per-rule blocking, where each rule match triggers immediate action.
 
 Because custom rules are evaluated first, you can define organization-specific logic without disabling baseline protections in the managed rule sets. This layered approach lets you tailor protection to your application's requirements while maintaining the Azure-managed baseline.
 

learn-pr/wwl-sci/design-solutions-secure-applications/includes/8a-map-technologies-application-security-requirements.md

@@ -25,6 +25,7 @@ Application security requirements generally fall into these categories. For each
 | Isolate APIs from public internet | API Management with virtual network integration (internal mode), private endpoints |
 | Rate limit API calls to prevent abuse | Azure API Management policies, Azure Front Door rate limiting |
 | Block traffic from unauthorized geographies | Azure WAF geo-filtering, Azure Front Door rules |
+| Protect against volumetric and protocol DDoS attacks | Azure DDoS Protection (complements WAF layer 7 protection for origin IP addresses on virtual networks) |
 
 ### Data protection
 
@@ -40,7 +41,8 @@ Application security requirements generally fall into these categories. For each
 | Requirement | Azure technologies |
 |---|---|
 | Static code analysis for vulnerabilities | GitHub CodeQL, Microsoft Security DevOps Extension for static application security testing (SAST) |
-| Dynamic application testing in runtime | Dynamic application security testing (DAST) in staging environments, Microsoft Defender for Containers |
+| Dynamic application testing | Dynamic application security testing (DAST) tools in staging environments |
+| Container runtime protection and vulnerability scanning | Microsoft Defender for Containers (runtime threat detection, image vulnerability assessment, supply chain protection) |
 | Software supply chain security | GitHub Dependabot, Azure Artifacts, software bill of materials (SBOM) generation |
 | Secret scanning and push protection | GitHub Advanced Security secret scanning |
 | Infrastructure-as-code security validation | Checkov, Terrascan, Template Analyzer via Security DevOps Extension |
@@ -50,7 +52,7 @@ Application security requirements generally fall into these categories. For each
 
 | Requirement | Azure technologies |
 |---|---|
-| Application-layer threat detection | Microsoft Defender for App Service, Defender for Containers, Defender for APIs |
+| Application-layer threat detection | Microsoft Defender for App Service, Defender for Containers, Defender for APIs, Defender for Key Vault |
 | Security posture assessment and scoring | Microsoft Defender for Cloud with cloud security posture management (CSPM), Secure Score |
 | Attack path identification | Defender CSPM attack path analysis |
 | DevOps security monitoring | Azure DevOps Audit Streaming to Microsoft Sentinel |
@@ -88,7 +90,7 @@ An internal API platform serving other line-of-business applications focuses on
 
 A Kubernetes-hosted microservices architecture requires supply chain and runtime security:
 
-- Azure Container Registry with vulnerability scanning and quarantine
+- Azure Container Registry with vulnerability scanning and quarantine (preview)
 - Microsoft Defender for Containers for runtime protection
 - Workload identity federation for pod-to-Azure-resource authentication
 - Network policies for inter-service segmentation