Application Gateway with WAF performance degradation

Question

Application Gateway with WAF performance degradation

Martin Kutlák 20

We are very often experiencing crashes/performance degradation of our Application Gateway with associated WAF in detection mode. Throughput on the AGW is just about 100 req/s and it doesn't change much throughout the day (IoT devices requests, all across EU).

If we dissociate WAF from the AGW, it works without any issues. But once the WAF is added (detection mode, owasp rules, bot detection), we get these issues.

We tried different configurations of the AGW but nothing seems to help. We tried:

manual scale of 2 instances
autoscaling from 0 to 4 instances
autoscaling from 2 to 4 instances

What can we do to fix resilience/availability of the AGW with WAF?

WAF requests

waf total requests, 5 min interval

Estimated billing vs Used compute units

compute units, 5 min interval

Health backends

healthy_bcknd

Resource health alerts

We get these alerts once or twice a week. But there are some performance issues pretty much every day.

application gateway resource

Jeevan Shanigarapu 2,375 Reputation points Microsoft External Staff Moderator

2025-09-23T06:45:51.4966667+00:00

Hello @Martin Kutlák,
Good day.

Could you please review my comment and let us know if it was helpful? If you are still having any issues, please provide the requested details in the private message so we can continue troubleshooting.

Regard's
Jeevan S
Martin Kutlák 20 Reputation points

2025-09-23T08:28:13.61+00:00

Hello Jeevan,
the AGW SKU is WAFv2 in Germany West Central region. We are using OWASP v3.1, MSBotManager v1.1 rules sets.

There are no failed requests, the requests just never arrive (or with high latency). In time slots where the WAF is down, there is also minimal amount of logs (All compared to when the WAF is working).
Jeevan Shanigarapu 2,375 Reputation points Microsoft External Staff Moderator

2025-09-23T17:22:06.9866667+00:00
Hello @Martin Kutlák,
Good day.

Thank you for sharing more information about your setup. Based on these observations, I have a few specific suggestions:
Update WAF Rulesets:
Upgrade from OWASP 3.1 to the latest Default Rule Set (DRS) 2.1. The new version is optimized for WAF_v2 and offers better efficiency, improved false positive management, and enhanced bot traffic inspection. Update the rules by refer the below link:
https://free.blessedness.top/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21%2Cowasp32#default-rule-set-21

Enhance Diagnostics:

Turn on comprehensive diagnostic logging for Access, Firewall, Performance, and AllMetrics, and direct the logs to Log Analytics.

Use Network Watcher flow logs to capture packet-level details during the impacted periods to verify if requests are reaching the gateway.

Establish proactive alerts for key metrics, including drops in request count, increases in unhealthy instance percentage, and spikes in CU utilization.

Enhance scalability and strengthen resilience:

Set up autoscaling with a higher minimum instance count (such as 4) and a maximum between 10 and 20 to maintain resilience if some instances become unresponsive.

Verify that zone redundancy is enabled to ensure high availability across zones in Germany West Central.

If IoT traffic experiences burst, implement custom WAF rate-limiting rules per device or IP to help prevent inspection overload.

Next Steps: It’s best to upgrade the ruleset and turn on enhanced diagnostics first, then monitor the system for 24 to 48 hours.

We’re committed to helping you stabilize your Application Gateway with WAF for your IoT workload. Please let me know once you’ve updated the rulesets and enabled diagnostics, and I’ll be glad to review the new telemetry with you.

Please upgrade their WAF engine by following the link below:
https://free.blessedness.top/en-us/azure/web-application-firewall/ag/ag-overview#waf-engine

Kindly let us know if the above helps or you need further assistance on this issue.
Jeevan Shanigarapu 2,375 Reputation points Microsoft External Staff Moderator

2025-09-24T11:42:28.43+00:00

Hello @Martin Kutlák,
Good day.

Thank you for your message on the Teams channel. Please upgrade the WAF rulesets and diagnostic settings as mentioned in the last comment and monitor the system for 24 hours. If you notice any error logs, please share them accordingly.

Regard's
Jeevan S
Jeevan Shanigarapu 2,375 Reputation points Microsoft External Staff Moderator

2025-09-25T09:12:59.1366667+00:00

Hello @Martin Kutlák,
Good day.

Just checking in to see if you had a chance to see the previous response by Jeevan shanigarapu. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer. And, if you have any further questions do let us know.

Regards,
Jeevan

Answer accepted by question author

1 additional answer

Your answer

Jeevan Shanigarapu 2,375 Reputation points Microsoft External Staff Moderator

2025-09-23T06:45:51.4966667+00:00

Hello @Martin Kutlák,
Good day.

Could you please review my comment and let us know if it was helpful? If you are still having any issues, please provide the requested details in the private message so we can continue troubleshooting.

Regard's
Jeevan S
Martin Kutlák 20 Reputation points

2025-09-23T08:28:13.61+00:00

Hello Jeevan,
the AGW SKU is WAFv2 in Germany West Central region. We are using OWASP v3.1, MSBotManager v1.1 rules sets.

There are no failed requests, the requests just never arrive (or with high latency). In time slots where the WAF is down, there is also minimal amount of logs (All compared to when the WAF is working).
Jeevan Shanigarapu 2,375 Reputation points Microsoft External Staff Moderator

2025-09-24T11:42:28.43+00:00

Hello @Martin Kutlák,
Good day.

Thank you for your message on the Teams channel. Please upgrade the WAF rulesets and diagnostic settings as mentioned in the last comment and monitor the system for 24 hours. If you notice any error logs, please share them accordingly.

Regard's
Jeevan S
Jeevan Shanigarapu 2,375 Reputation points Microsoft External Staff Moderator

2025-09-25T09:12:59.1366667+00:00

Hello @Martin Kutlák,
Good day.

Just checking in to see if you had a chance to see the previous response by Jeevan shanigarapu. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer. And, if you have any further questions do let us know.

Regards,
Jeevan

Answer 1

Hello @Martin Kutlák,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand your question about the crashes and performance issues with your Application Gateway and the WAF running in detection mode. The throughput on the gateway is around 100 requests per second and remains fairly consistent throughout the day, as these are IoT device requests from across the EU.

To help enhance resilience and availability, here are some recommended next steps:

Activate and assess diagnostics:

Enable Application Gateway diagnostics, including Access, Performance, and Firewall logs, and direct them to Log Analytics.

Monitor metrics such as Compute Unit utilization, Unhealthy host count, and Failed requests to analyze WAF activity in relation to traffic spikes.

Check backend probe logs to ensure that backend servers are not causing the degraded health status.

Adjust the WAF Policy Settings: In detection mode, use the logs to identify false positives or unnecessary inspections.

1. Exclude non-critical headers or body fields for IoT traffic.

2. Disable or customize rule groups that generate high false positives (for example, bot detection or SQLi checks if they don’t apply).

3. Ensure you’re using the latest OWASP ruleset (e.g., 3.2.5 or later) for improved performance and fewer false positives.

Revise the scaling strategy as needed:

Make sure you are using the Application Gateway v2 SKU, as it supports autoscaling and zone redundancy.

Set a minimum instance count (for example, 2–4) to help prevent instability during scale-in and allow a higher maximum (up to 10–20 if necessary).

Enabling zone redundancy is advised to improve resiliency across different regions.

Additional Resilience Steps:

You may want to implement rate limiting or set up custom WAF rules to manage high-traffic devices.

If stability problems continue, consider whether placing Azure Front Door in front of AGW could help with traffic inspection.

Next step: Could you please confirm the following:

Which SKU (v1 or v2) and region is your AGW deployed in?

What WAF ruleset version are you currently using?

With this information, I can offer more accurate guidance. If you still encounter issues after these steps, I suggest submitting a Microsoft support case with your diagnostic data for further analysis.

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to "Accept the answer” and “up-vote it” wherever the information provided helps you, this can be beneficial to other community members__.__ It would be greatly appreciated and helpful to others.

Martin Kutlák 20 Reputation points

2025-09-29T07:47:08.9133333+00:00

Seems like upgrade from OWASP 3.1 ruleset to OWASP 3.2 and later to DRS 2.1, helped. We are no longer experiencing issues with WAF.

Answer 2

Hello Martin Kutlák,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having Application Gateway with WAF performance degradation.

Perform the below steps for resolve the issues and use the links for more details:

Migrate from OWASP 3.1 to DRS 2.1, which is optimized for WAF_v2 to enhance protection and performance. - https://free.blessedness.top/en-us/azure/web-application-firewall/ag/application-gateway-waf-metrics
Activate Access, Performance, Firewall, and AllMetrics logs, routing them to Log Analytics for visibility and troubleshooting. - https://free.blessedness.top/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
Leverage Azure Monitor to track CU utilization, backend response latency, request volume fluctuations, and unhealthy instance ratios. For a full metric list, see Application Gateway Metrics - https://free.blessedness.top/en-us/azure/application-gateway/application-gateway-metrics
Adjust policies by disabling unnecessary rules such as MSBotManager or specific SQLi checks (e.g., 942130). Apply exclusion lists for headers or body fields to handle IoT-related traffic. -https://free.blessedness.top/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
Configure WAF_v2 SKU with a baseline of 4 instances, scaling up to 10–20 as required, and enable zone redundancy for resilience. - https://free.blessedness.top/en-us/azure/application-gateway/high-traffic-support
Use Azure Network Watcher flow logs to investigate packet drops, routing failures, or anomalies during WAF downtime. - https://free.blessedness.top/en-us/azure/network-watcher/network-watcher-monitoring-overview
For global load balancing and enhanced inspection, consider adding Azure Front Door in front of Application Gateway. - https://free.blessedness.top/en-us/azure/frontdoor/front-door-overview

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Share via

Application Gateway with WAF performance degradation

WAF requests

Estimated billing vs Used compute units

Health backends

Resource health alerts

1 additional answer

Your answer