Microsoft Security, Compliance, and Identity Fundamentals SC-900 Practice Question

Azure Web Application Firewall (WAF) provides centralized, application-layer protection for web apps that are published through Azure Application Gateway, Azure Front Door, or Azure CDN. WAF applies the Open Web Application Security Project (OWASP) Core Rule Set to incoming HTTP or HTTPS traffic and can automatically block common exploits such as SQL injection or cross-site scripting without requiring any changes to the application itself.

Azure Firewall offers stateful packet inspection and egress filtering but does not provide OWASP-based Layer 7 attack mitigation. Network security groups filter traffic by IP address, port, and protocol at the subnet or NIC level and cannot interpret web requests. Azure DDoS Protection Standard focuses on absorbing large-scale volume or protocol attacks at the network edge, not inspecting individual web requests for malicious payloads. Therefore, Azure Web Application Firewall is the correct choice.