For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-azure-waf-is-disabled-for-azure-application-gateway.md. A documentation index is available at /llms.txt.

WAF is disabled for Azure Application Gateway

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-azure-waf-is-disabled-for-azure-application-gateway

Provider: Azure

Platform: Ansible

Severity: Medium

Category: Networking and Firewall

Learn More

Description

Application Gateway instances must have the Web Application Firewall (WAF) SKU enabled to protect web traffic from application-layer threats like SQL injection, cross-site scripting, and automated attacks.

For Ansible resources using azure.azcollection.azure_rm_appgateway or azure_rm_appgateway, the sku.tier property must be set to WAF or WAF_v2 (case-insensitive) to enable WAF capabilities. Resources missing sku.tier or configured with non-WAF tiers (for example Standard or Standard_v2) are flagged as insecure.

Secure configuration example:

- name: Create Application Gateway with WAF_v2
  azure.azcollection.azure_rm_appgateway:
    resource_group: myResourceGroup
    name: myAppGateway
    sku:
      tier: WAF_v2

Compliant Code Examples

- name: Create instance of Application Gateway
  azure_rm_appgateway:
    resource_group: myResourceGroup
    name: myAppGateway
    sku:
      name: waf_medium
      tier: waf
      capacity: 2

Non-Compliant Code Examples

- name: Create instance of Application Gateway
  azure_rm_appgateway:
    resource_group: myResourceGroup
    name: myAppGateway
    sku:
      name: standard_small
      tier: standard
      capacity: 2