Azure Web Application Firewall (WAF) is a cloud-based security solution designed to protect web applications hosted on Azure from common web attacks like SQL injection, cross-site scripting (XSS), request smuggling, local and remote file inclusion, and many others. It uses rules, exclusion lists, and policies to filter out malicious requests. It has a managed default ruleset but also allows you to create custom rules. The Azure WAF is easy to deploy and can protect multiple web applications simultaneously without changing their topography.
Furthermore, Azure WAF is available in 19 regions (including Azure government) and can be paid for in 16 currencies. Its pricing depends on many factors, including integration with the application gateway, data processing, transfer regions, and currency.
Read on to find out more.
Azure WAF Pricing with Application Gateway
Azure WAF is used with the Azure Application Gateway to provide enhanced security and performance for web applications deployed in Azure. The Application Gateway functions as a load balancer and provides advanced routing capabilities, such as URL-based routing and SSL termination. In contrast, the WAF provides additional protection against common web-based attacks.
By using the Application Gateway and WAF together, organizations can improve their web applications' availability and scalability while ensuring that they are protected against known and emerging threats. The Application Gateway also provides real-time monitoring and analytics, allowing organizations to identify and address issues with their web applications quickly. Overall, the combination of the Application Gateway and WAF provides a powerful and comprehensive solution for securing and optimizing web applications in Azure.
Azure Application Gateway V1: This is the first version of Azure Application Gateway, which provides basic load-balancing features and is suitable for small to medium-sized applications. It supports round-robin load balancing and SSL offloading but lacks advanced features, such as autoscaling and support for static IPs and zone redundancy. The Azure Application Gateway V1 is divided into three types: small, medium, and large. Cost: Note that you cannot use Azure WAF with Application Gateway V1. But it's available for Application Gateway Medium (at $0.126 per gateway hour) and Large (at $0.448 per gateway hour).
Azure Application Gateway V2: The Azure Application Gateway V2 provides an advanced web traffic management and security solution with WAF. The gateway offers improved performance, availability, and scalability with support for autoscaling, zone redundancy, and static IP. The gateway also enables faster provisioning and configuration updates, header rewrites, and WAF custom rules. Adding a WAF layer to the application gateway enhances security by providing an additional layer of protection against common web attacks. Overall, the Application Gateway V2 is a powerful tool for managing and securing web traffic in Azure. The WAF functionality ensures that your workloads are also managed securely. Cost: To use the Azure WAF with Application Gateway V2, you must pay a fixed price of $0.0443 per gateway hour and $0.0144 per capacity unit hour.
Azure WAF Pricing for Additional Features
Azure WAF Pricing for Data Processing Fees for V1 Application Gateway
Here you get for free the first 10TB of data processed before you are charged. This pricing plan is based on the monthly data processed by the three Azure Application Gateway types:
Azure Application Gateway Small: $0.008/GB of processed data
Azure Application Gateway Medium: $0.007/GB of processed data
Azure Application Gateway Large: $0.0035/GB of processed data
Azure WAF Pricing for Data Transfer Fees
This refers to the amount of data transferred to and from Azure data centers and the data transferred between different Azure data centers. This includes all types of data, such as network traffic, file transfers, and data sent or received by applications running in Azure. However, other types of transfers not included in this bandwidth pricing are the Content Delivery Network (CDN), ExpressRoute pricing, or peering.
Azure's data transfer fees for the Azure WAF are divided into inter-regional and intercontinental data transfers. They have been provided below.
For inter-regional data transfers, it will cost you:
$0.02 per GB to transfer data between regions within North America and Europe
$0.08 per GB to transfer data between Asia, Oceania, the Middle East, and Africa
$0.16 per GB to transfer data between regions in South America
For inter-continental data transfers, it will cost you:
$0.05 per GB to transfer data from North America and Europe to other continents
$0.08 per GB to transfer data from Asia, Oceania, and Africa to other continents
$0.16 per GB to transfer data from South America to other continents
Bonus: check out the Azure Pricing Calculator to get an estimate of the Azure WAF cost.
open-appsec WAF as an Alternative to Azure WAF
Differentiating Factors | Azure WAF | open-appsec WAF |
Intrusion Prevention System | Not Available | Uses Snort 3.0 engine |
System Maintenance Complexity | Has a complex system maintenance procedure because of its rules, policies, and exclusion list | Has easy system maintenance due to the absence of threat signatures, rules, and exceptions to protect your web app |
Zero-Day Detection | Lacks a robust feature that protects your web application against zero-day attacks | Uses machine learning algorithms, threat prevention techniques, and the Snort 3.0 Intrusion Prevention System to identify and thwart zero-day attacks |
Exclusive Web Application Protection | Protects your Azure-based web app from attacks without needing extra security services or tools | Acts as a standalone web application security service and can protect all web applications irrespective of where they are hosted |
Pricing | Pricing depends on the hours used and the capacity of traffic it receives | Offers a pay-as-you-go pricing per 1 million and 100 million HTTPS requests per annum |
Open-source | Not an open-source | Open-source (with the third party verifying its source code) |
Type of System Configuration | Not available | Declarative configuration. |
False positives | Some false positives detected | Zero cases of false positives |
Web Latency | Doesn’t increase web latency | No instances of increased web latency |
WAF Community and Customer Service | Has a large community of users | Has a small community (with a quick response time) |
Free Version | No free trial | Free but has a paid Premium version. |
Machine-Learning App Security Approach | Not available | Uses two machine learning algorithms (offline and online) to secure web apps |
In conclusion
Azure WAF and open-appsec WAF are effective web application firewall solutions that provide security for web applications. However, while Azure WAF employs a rules-based system to detect and filter out malicious traffic, open-appsec WAF uses advanced machine learning algorithms, anomaly detection, and behavioral analysis to protect against known and unknown web attacks preemptively.
Also, not only has open-appsec code been published on GitHub, but the effectiveness of its WAF has been successfully proven in numerous tests by third parties. Hence, try open-appsec in the Playground today!
FAQs
Is WAF a part of the Azure Application Gateway?
Azure WAF is an optional license tier that you can select when configuring Azure Application Gateway V2. It provides a layer of security for your application workloads.
Do you need a WAF in front of an API gateway?
Having a WAF in front of an API Gateway is generally a good idea, as it provides an additional layer of security to protect your API from attacks.
API gateways provide security by allowing you to control access to your API through authentication and authorization mechanisms, such as API keys, OAuth, and IAM roles. However, a WAF can provide an additional layer of security to protect against attacks that may exploit vulnerabilities in your API code.
Is WAF before or after a load balancer?
In a typical architecture, a WAF is placed before the load balancer to inspect traffic before it reaches the backend servers. This is done so traffic is filtered before it is distributed across multiple backend servers. This way, if a malicious request passes through the WAF undetected and reaches one backend server, the other servers behind the load balancer will not be affected.
