Azure Web Application Firewall

Azure WAF integrates with Application Gateway and Front Door to provide application-layer protection:
# Configure WAF Policy
$wafPolicy = New-AzApplicationGatewayFirewallPolicy `
    -Name "WebServerWAFPolicy" `
    -ResourceGroupName "WebServerRG" `
    -Location "East US"

# Configure managed rules
$managedRules = New-AzApplicationGatewayFirewallPolicyManagedRuleSet `
    -RuleSetType "OWASP" `
    -RuleSetVersion "3.2"

$managedRuleGroupOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride `
    -RuleGroupName "REQUEST-920-PROTOCOL-ENFORCEMENT" `
    -Rule @(
        New-AzApplicationGatewayFirewallPolicyManagedRuleOverride `
            -RuleId "920300" `
            -State "Disabled"
    )

$managedRules.RuleGroupOverrides.Add($managedRuleGroupOverride)
$wafPolicy.ManagedRules = $managedRules

# Configure custom rules
$customRule = New-AzApplicationGatewayFirewallCustomRule `
    -Name "BlockBadUserAgent" `
    -Priority 1 `
    -RuleType MatchRule `
    -MatchCondition @(
        New-AzApplicationGatewayFirewallMatchCondition `
            -MatchVariable RequestHeaders `
            -Selector "User-Agent" `
            -Operator Contains `
            -MatchValue @("BadBot", "Scanner")
    ) `
    -Action Block

$wafPolicy.CustomRules.Add($customRule)
Set-AzApplicationGatewayFirewallPolicy -InputObject $wafPolicy