Configuring a per-site WAF policy with IP address restriction rules: Part two

by Hitesh Vadgama, Solutions Architect, Rackspace Technology

In Part one of this three-part series, I introduced the concept of the per-site web application firewall (WAF) Policy with IP address rule restrictions and set the stage for this demonstration. Part one also lays out the assumptions for the implementation walkthrough. In this post, I present the Application Gateway configuration.

Application Gateway configuration

My Application Gateway is already provisioned, so let me share the relevant settings that I configured.

Web Application Firewall 

1. Under the Configure tab, I have WAF V2 as the selected Tier, Firewall Status enabled and in Prevention mode. I did not create any exclusions and I left the Global parameters with the default settings. 

waf pic 2

2. On the Rules tab, I left the default ruleset of OWASP 3.0 and Advanced rule configuration disabled.

Backend Pool
I have my Windows VM (or rather it’s NIC) added as a backend target to a pool I created called vmPool01.

- Backend protocol/port: Because this is purely for testing, I selected HTTP/80.
- Cookie-based affinity: disabled
- Connection draining: disabled
- Request time-out (seconds) : Default of 20
- Override with new hostname: yes
- Override with specific domain name: Selected. Because I have two websites running on
  the same VM, I need to select this option and specify the website URL so that the system
  forwards requests to the correct site based on the incoming host header.
   - For HTTPSettings01, I specified as the domain name
   - For HTTPSettings02, I specified as the domain name
- Custom Probe: I created a custom probe for each website and assigned each to the
  respective HTTP Setting object for health monitoring purposes.

The following screenshot shows the HttpSettings01 object for reference:

waf pic 5

 Frontend IP configurations 

The Application Gateway has a public IP address that I used to create DNS A records to map my two websites.

waf pic 6


1. I created a Listener for each website. The custom WAF rule needs this to work because I associate the rule to a specific Listener later so it impacts only one website.

- Site1_Listener: corresponding to
- Site2_Listener: corresponding to


waf pic 7

2. In the configuration for each Listener, I have the following: 

- Frontend IP: public
- Port: 80
- Associated Rule: I created a routing rule for each website and associated it to the
  respective Listener. I cover routing rules in the next section.
- Listener Type: Because I have more than one hosted site, I selected Multi site.
- Host name: I entered the URL corresponding to the respective website.

Following is a screenshot of the Site1_Listener for reference:

waf pic 8


1. I created a routing rule for each Listener:

- Site1_Rule: corresponding to Site1_Listener
- Site2_Rule: corresponding to Site2_Listener

2. For Site1_Rule backend targets, I have a backend pool (vmPool01) and the HTTPSettings01 object.

waf pic 9

3. For Site2_Rule backend targets, I again have backend pool (vmPool01) but this
   time with the HTTPSettings02 object. 

waf pic 10

Post 3 concludes the series with WAF policy configuration and testing the custom rule. 

Learn more about our web application security services.