We never really knew if our Azure followed CAF or Well-Architected — so we built something
For years we ran Azure environments professionally and CAF and WAF reviews were always the same story. A consultant every 12-18 months, a thick PDF, good intentions — and then nothing until the next one. The problem wasn't that we didn't care. It was that there was no lightweight way to track it continuously. Defender had some parts of CIS. WAF had the assessment tool. CAF had... a whitepaper and a spreadsheet we kept meaning to update. We couldn't answer basic questions like: are we getting better or worse? Which subscriptions are drifting? What would an auditor actually see if they looked at our CAF posture today? Eventually we got frustrated enough to build Anubion — it connects agentlessly to your Azure tenant and runs continuous checks across CIS, CAF, and WAF in one place, with findings prioritised and evidence stored over time. Happy to share more if anyone's interested. But also genuinely curious — how are other teams handling CAF and WAF tracking between formal assessments? If anyone is curious about their scores, you can sign up for at 14 day free trial. The setup is short and you only need a read-only service principal. Check out https://anubion.io/#request-accessApplication Gateway WAF custom rule is not triggered if the HTTP header field is not present
Hi Community, I have this strange behavior on my Application Gateway WAF. I created this custom rule (see image below) to deny traffic when the http request has Referer http header field empty or missing. The problem is that this rule is only triggered when the Referer http header field is empty but not when it is missing 😞 Instead, the same custom rule is working fine on the front door WAF. Why is it happening? Did I do something wrong?Web Application Firewall (WAF) rate limit rule for Azure Application Gateway
Hello, Currently, I can create a WAF rate limit rule only on Azure Front Door but I can't create it on the Application Gateway (e.g. see https://serverfault.com/questions/961678/rate-limit-using-azure-application-gateway). Will the WAF rate limit rule on the Application Gateway ever be available in the future? If yes, when? Thanks in advance.
Secure a VM-based web server sitting behind Azure Front Door + WAF from the internet
Hi All I have a web server that's running on a VM inside Azure. The server is exposed to the internet through an NGINX reverse proxy and a public IP address. For added security, I've set up an Azure Front Door, incorporating an Azure Web Application Firewall (WAF), which works fine so far. My issue is that I can't see how I'm supposed to stop internet traffic connecting directly to my internet-facing NGINX proxy. Without putting restrictions in place (I'm not sure what these would be), there's no reason for anyone to access the server via AFD as they could just go straight to the server. This completely defeats the purpose of AFD + WAF (apart from load balancing, etc. features which I'm not using). Has anyone worked this out? It doesn't appear as though Microsoft has thought this through??? Cheers, Josh
