Azure Application Gateway WAF Rules Evaluation

In this short article I will give an example of how the evaluation of the "WAF Custom Rules" and "Managed Rules" of the "Azure Application Gateway" works.

Note:
If you are not yet familiar with Application Gateway WAF v2 and Custom Rules, I recommend consuming my blog post Application Gateway WAF v2 Custom Rules.

Application Gateway WAF v2 Custom Rules

Initial situation with the Azure Application Gateway

In this example, there is an Azure Application Gateway "AppGW", configured as Tier WAF v2 and an attached "Backend Pool". Furthermore, in addition to the preconfigured "Managed Rules" with "Custom Rule 01", "Custom Rule 02" and "Custom Rule 03", there are also three "Custom Rules" in the "WAF Policy". The specific configuration of these rules is not of further importance for the illustration of the evaluation. Therefore, I will not go further into the rule configuration.

WAF Rules Evaluation

The evaluation of the rules is shown in the following diagram as simple and clear as possible and contains all the mentioned components of the initial situation.

WAF Rule Evaluation Process

1. The network traffic is routed through the Azure Application Gateway. The corresponding listener receives the traffic.
2. The Application Gateway checks the request against the configured "WAF Policy".
3. "Custom Rules" are considered first. The WAF determines the rule with the lowest number at priority. In our case, it is "Custom Rule 01" with priority 10. Tip: The priority can be considered as a cost. The rule with the lowest cost is evaluated first.
4. The WAF evaluates the rule "Custom Rule 01".
   • If the rule is true, the WAF applies it and does not consider any of the other rules. Continue with point 8.
   • If the rule is NOT applicable (False), the WAF determines the rule with the next higher priority / cost. Continue with point 5.
5. The WAF evaluates the rule "Custom Rule 02".
   • If the rule is true, the WAF applies it and does not consider any of the other rules. Continue with point 8.
   • If the rule is NOT applicable (False), the WAF determines the rule with the next higher priority / cost. Continue with point 6.
6. The WAF evaluates the rule "Custom Rule 03".
   • If the rule is true, the WAF applies it and does not consider any of the other rules. Continue with point 8.
   • If the rule is NOT applicable (False), the WAF determines the rule with the next higher priority / cost. Continue with point 7.
7. Since all "Custom Rules" have now been evaluated and none are applicable (all = False), the standard "Managed Rules" now come into play.
8. All rules have an action that is executed when the rule is true. This action grants or denies the network traffic.
   • If the action grants network traffic (Allow Traffic), the WAF policy reports this to the Azure Application Gateway. The gateway then grants access to the backend pool as requested.
   • If the action denies network traffic (Deny Traffic), the requested access is blocked accordingly by the Application Gateway.

Sources:

https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020?WT.mc_id=AZ-MVP-5004129

https://www.graber.cloud/application-gateway-waf-v2-custom-rules/