Contents
- 1 Web Application Firewall (WAF) Configuration Examples in Major Cloud Platforms
- 2 AWS WAF Configuration Example
- 3 Microsoft Azure WAF Configuration Example
- 4 Cloudflare WAF Configuration Example
- 5 Comparison of Cloud WAF Configuration Models
- 6 Real-World Security Engineer Use Cases
- 7 Common Configuration Mistakes
- 8 Interview Talking Points
- 9 Summary
Web Application Firewall (WAF) Configuration Examples in Major Cloud Platforms
Introduction
Modern WAF deployments are predominantly cloud-delivered and tightly integrated with load balancers, CDNs, and edge networks. Cloud providers offer managed WAF services with prebuilt rule sets, bot mitigation, and DDoS protections.
This page provides practical configuration examples for:
- AWS WAF
- Microsoft Azure WAF
- Cloudflare WAF
AWS WAF Configuration Example
Deployment Architecture
AWS WAF is typically attached to:
- Amazon CloudFront (global CDN)
- Application Load Balancer (ALB)
- API Gateway
Example 1: Enable AWS Managed OWASP Rule Set (Console)
Steps:
- Go to AWS WAF & Shield
- Create a Web ACL
- Choose Regional or CloudFront scope
- Add managed rule groups
- Associate with ALB or CloudFront distribution
Recommended Managed Rule Groups:
- AWSManagedRulesCommonRuleSet
- AWSManagedRulesSQLiRuleSet
- AWSManagedRulesKnownBadInputsRuleSet
- AWSManagedRulesBotControlRuleSet
Example 2: Custom Rate Limiting Rule (Terraform)
resource "aws_wafv2_web_acl" "example" {
name = "example-waf"
scope = "REGIONAL"
description = "Rate limit login attempts"
rule {
name = "RateLimitLogin"
priority = 1
statement {
rate_based_statement {
limit = 100
aggregate_key_type = "IP"
scope_down_statement {
byte_match_statement {
field_to_match {
uri_path {}
}
positional_constraint = "CONTAINS"
search_string = "/login"
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
}
action {
block {}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "RateLimitLogin"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "exampleWAF"
sampled_requests_enabled = true
}
}
Microsoft Azure WAF Configuration Example
Deployment Architecture
Azure WAF integrates with:
- Azure Application Gateway
- Azure Front Door
- Azure CDN
Example 1: Enable OWASP Core Rule Set (CRS)
Steps:
- Create Application Gateway
- Enable WAF tier
- Select OWASP rule set version (3.2 or newer)
- Choose Prevention mode
Key Settings:
- Detection mode (log only)
- Prevention mode (block traffic)
Example 2: Custom Rule to Block Country or IP
{
"name": "BlockSuspiciousIP",
"priority": 100,
"ruleType": "MatchRule",
"matchConditions": [
{
"matchVariables": [
{ "variableName": "RemoteAddr" }
],
"operator": "IPMatch",
"matchValues": ["203.0.113.0/24"],
"negationCondition": false
}
],
"action": "Block"
}
Example 3: Rate Limiting Login Endpoint (Azure Front Door)
{
"name": "RateLimitLogin",
"priority": 1,
"ruleType": "RateLimitRule",
"rateLimitDurationInMinutes": 1,
"rateLimitThreshold": 100,
"matchConditions": [
{
"matchVariables": [{ "variableName": "RequestUri" }],
"operator": "Contains",
"matchValues": ["/login"]
}
],
"action": "Block"
}
Cloudflare WAF Configuration Example
Deployment Architecture
Cloudflare WAF runs at the edge CDN, protecting traffic before it reaches your origin server.
Example 1: Enable Managed OWASP Rules
Steps:
- Security → WAF → Managed Rules
- Enable OWASP ModSecurity Core Rule Set
- Enable Cloudflare Managed Ruleset
- Enable Bot Management
Example 2: Custom Firewall Rule to Block SQL Injection Patterns
Cloudflare expression syntax example:
(http.request.uri.query contains "union select") or
(http.request.uri.query contains "' or '1'='1")
Action: Block
Example 3: Rate Limiting Login Attempts
Cloudflare Rate Limiting Rule:
If requests to /login exceed 100 per minute per IP then Block for 10 minutes
Configuration fields:
- Path:
/login - Threshold: 100 requests
- Period: 60 seconds
- Mitigation: Block
Comparison of Cloud WAF Configuration Models
| Feature | AWS WAF | Azure WAF | Cloudflare WAF |
|---|---|---|---|
| Managed OWASP Rules | Yes | Yes | Yes |
| Custom Rules | Yes | Yes | Yes |
| Rate Limiting | Yes | Yes | Yes |
| Bot Protection | Yes (Shield Advanced) | Limited | Strong |
| DDoS Protection | AWS Shield | Azure DDoS Protection | Built-in |
| Terraform Support | Excellent | Good | Good |
| Edge-Based Protection | CloudFront | Front Door | Native |
Real-World Security Engineer Use Cases
1. Virtual Patching Zero-Day Vulnerabilities
Security engineers deploy temporary WAF rules to block exploit patterns while waiting for application patches.
2. Credential Stuffing Mitigation
Rate limiting and bot detection are configured on login and API authentication endpoints.
3. Regulatory Compliance
PCI DSS environments use WAFs as compensating controls for legacy systems.
4. SOC Telemetry
WAF logs are forwarded to SIEM platforms such as Splunk to detect:
- OWASP Top 10 exploitation attempts
- Reconnaissance scanning
- Automated bot campaigns
Common Configuration Mistakes
- Leaving WAF in Detection mode in production
- Enabling OWASP rules without tuning false positives
- Not terminating TLS at the WAF
- Not integrating logs into SIEM
- No rate limiting on authentication endpoints
Interview Talking Points
- Cloud WAFs are integrated with CDNs and load balancers
- Managed rule sets provide baseline OWASP Top 10 protection
- Custom rules mitigate business-specific threats
- Terraform enables Infrastructure as Code for security controls
- WAF logs feed SOC detection pipelines
- Detection mode should be used for tuning, Prevention for production
Summary
Cloud WAFs are a critical control in modern architectures. They provide application-layer protection that traditional firewalls cannot, integrate tightly with cloud-native services, and form part of a defence-in-depth strategy alongside EDR, IAM, and SIEM.