Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled


When this setting is enabled, it recommends that a web application firewall is provisioned on virtual machines when instance-level public IP (ILPIP) is used and the inbound security rules for the associated network security group are configured to allow access to port 80/443, or when load-balanced IP is used and the associated load balancing and inbound network address translation (NAT) rules are configured to allow access to port 80/443.

Portal Remediation Steps

  • Navigate to Azure Policy.

  • Select the subscription and click Edit assignment.

  • Select Parameters.

  • In All Internet traffic should be routed via your deployed Azure Firewall, select AuditIfNotExists.

  • Click Review + save > save.

CLI Remediation Steps

  • Remediation is not possible via the CLI.