Skip to content

๐Ÿงช Hands-on Labs

Overview

This workshop includes 12 hands-on labs that progressively build your Azure WAF skills. All labs include automated infrastructure deployment, step-by-step instructions, and attack simulation scripts.

๐Ÿš€ Before You Begin

๐Ÿ’ก Pre-populate WAF Logs: Before starting Lab 03, run the traffic simulator for at least 15 minutes to ensure WAF logs are available for analysis.

Script: simulate-waf-traffic.ps1

.\scripts\simulate-waf-traffic.ps1 -TargetUrl "http://<your-appgw-fqdn>" -DurationMinutes 15

Deploy Infrastructure

Lab Progression

graph LR
    A[Lab 01<br/>Deploy] --> B[Lab 02<br/>Detection]
    B --> C[Lab 03<br/>KQL Analysis]
    C --> D[Lab 03B<br/>Triage Workbook]
    D --> E[Lab 04<br/>Exclusions]
    E --> F[Lab 05<br/>Prevention]
    F --> G[Lab 06<br/>Front Door]
    G --> H[Lab 07<br/>Bots]
    H --> I[Lab 08<br/>Rate Limiting]

    J[Lab 09<br/>AGC] --> K[Lab 10<br/>Sentinel]
    K --> L[Lab 11<br/>Copilot]

    style D fill:#0078D4,color:white
    style K fill:#FFB900,color:black
    style L fill:#FFB900,color:black

Core Labs

Lab 01 โ€” Deploy Application Gateway WAF v2 with DRS 2.1

Explore the deployed infrastructure, WAF policy, and verify connectivity.

Core

Lab 02 โ€” Configure WAF Detection Mode & Generate Traffic

Enable detection mode, generate attack traffic, verify logging without blocking.

Core

Lab 03 โ€” Analyze WAF Logs with KQL

Navigate Log Analytics, run KQL queries, identify triggered rules and false positives.

Core

Lab 03B โ€” WAF Fine Tuning with Triage Workbooks โœจ

Deploy the official WAF Triage Workbooks for Application Gateway and Front Door.

New

Lab 04 โ€” Create Exclusions and Custom Rules

Tune WAF with per-rule exclusions, geo-filtering, and IP blocking rules.

Core

Lab 05 โ€” Switch to Prevention Mode & Validate

Enable prevention, re-run attacks, verify blocking and exclusion behavior.

Core

Lab 06 โ€” Deploy Front Door Premium with WAF

Explore edge WAF, configure origin lockdown, compare with Application Gateway.

Core

Lab 07 โ€” Bot Protection & JavaScript Challenge

Enable Bot Manager, configure JavaScript Challenge, test bot detection.

Core

Lab 08 โ€” Rate Limiting with XFF Grouping

Create rate limiting rules, test burst traffic, analyze rate limit events.

Core

Lab 09 โ€” Application Gateway for Containers (AGC)

Deploy AGC with WAF policy as Kubernetes CRD, test protection.

Core

Optional Labs

Additional Licensing Required

These labs require Microsoft Sentinel and/or Copilot for Security licenses.

Lab 10 โ€” Microsoft Sentinel WAF Data Connector

Connect WAF data to Sentinel, create analytics rules and workbooks.

Optional

Lab 11 โ€” Copilot for Security WAF Investigation

Use natural language to investigate WAF events and get tuning recommendations.

Optional

๐Ÿงน Cleanup

When finished with all labs, remove all resources:

Script: cleanup.ps1

.\scripts\cleanup.ps1 -ResourceGroupName "rg-waf-workshop"

Cost Warning

Lab resources cost approximately $25-30 USD/day (~$750-900/month). Always clean up when finished.