Primitive

WAF

A Web Application Firewall — it inspects HTTP(S) traffic at the application layer and blocks common web exploits such as SQL injection, cross-site scripting, and malicious bots before they reach a workload.

Description

The managed web application firewalls (AWS WAF, Azure Web Application Firewall, GCP Cloud Armor) all inspect layer-7 HTTP(S) traffic and block OWASP Top 10 exploits, malicious bots, and abusive request rates using managed and custom rule sets. The differences are in where they attach and their surrounding tooling: AWS WAF binds to CloudFront, Application Load Balancers, and API Gateway with AWS Managed Rules and central control through Firewall Manager; Azure offers two flavours — Application Gateway WAF in-region and Front Door WAF at the global edge — both built on the OWASP Core Rule Set; GCP Cloud Armor enforces policy-based rules at the edge of its HTTP(S) load balancers with ML-assisted DDoS detection. To the best of our knowledge the core role is equivalent; choose by the load balancer or CDN you are fronting and how much managed-rule and central-management tooling you need.

Capabilities

  • Block OWASP Top 10 exploits (SQLi, XSS, RCE)
  • Managed and custom rule sets
  • Rate limiting, bot control, and geo-blocking
  • Inspect and log HTTP(S) requests at layer 7

Vendor implementations

AWS WAF
GCP Armor
AZ WAF

Related primitives