---
title: WAF is disabled for Azure Application Gateway
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > WAF is disabled for Azure Application Gateway
---

# WAF is disabled for Azure Application Gateway

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-azure-waf-is-disabled-for-azure-application-gateway` 

**Provider:** Azure

**Platform:** Ansible

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_appgateway_module.html)

### Description{% #description %}

Application Gateway instances must have the Web Application Firewall (WAF) SKU enabled to protect web traffic from application-layer threats like SQL injection, cross-site scripting, and automated attacks.

For Ansible resources using `azure.azcollection.azure_rm_appgateway` or `azure_rm_appgateway`, the `sku.tier` property must be set to `WAF` or `WAF_v2` (case-insensitive) to enable WAF capabilities. Resources missing `sku.tier` or configured with non-WAF tiers (for example `Standard` or `Standard_v2`) are flagged as insecure.

Secure configuration example:

```yaml
- name: Create Application Gateway with WAF_v2
  azure.azcollection.azure_rm_appgateway:
    resource_group: myResourceGroup
    name: myAppGateway
    sku:
      tier: WAF_v2
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create instance of Application Gateway
  azure_rm_appgateway:
    resource_group: myResourceGroup
    name: myAppGateway
    sku:
      name: waf_medium
      tier: waf
      capacity: 2
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Create instance of Application Gateway
  azure_rm_appgateway:
    resource_group: myResourceGroup
    name: myAppGateway
    sku:
      name: standard_small
      tier: standard
      capacity: 2
```