WAF Policy naming follows CAF convention: waf-{workload}-{env}-{region}-{index} (example: waf-ecomm-prod-eus-01). The policy is a distinct, independently versioned ARM resource — store its Bicep definition alongside the Application Gateway template in the same source control repository, with branch protection requiring peer review on all rule changes. Governance items address resource tagging (Workload, Environment, CostCenter, createdBy), CanNotDelete locks on the policy resource group, and Azure Policy compliance. Managed rule set upgrades are a governance event requiring a documented review, a Detection-mode validation window, and a defined rollback plan before re-enabling Prevention.

Reliability: WAF policy changes that incorrectly block legitimate traffic effectively take down the application — validate all rule additions and exclusion removals in Detection mode first, with a defined rollback procedure. Security: Prevention mode with OWASP CRS 3.2 or Microsoft DRS is the baseline; bot protection add-on, rate limiting on sensitive endpoints, and geo-blocking of irrelevant regions strengthen posture significantly. Performance Efficiency: overly broad exclusions reduce WAF effectiveness; overly narrow rules increase false positives and block legitimate traffic — tune against actual traffic logs from ApplicationGatewayFirewallLog. Cost Optimization: WAF Policy itself is billed per policy and per rule evaluation at scale — review custom rule count and ensure no redundant rules are left from tuning sessions. Operational Excellence: policy-as-code in source control with staged rollout (Detection → Prevention) and structured runbook for rule lifecycle management.

Verify explicitly: WAF Prevention mode is the baseline — Detection-only WAF provides zero active protection, it only logs. Every request reaching backend application code must have traversed an actively blocking WAF policy. Per-listener policies allow stricter rules on sensitive paths (admin, API, auth) without loosening rules on public paths. Least privilege: WAF Policy Contributor access is time-bound via PIM — no standing write access for operations teams, as a misconfigured rule change blocks the entire application immediately. Assume breach: ApplicationGatewayFirewallLog provides a complete record of every request the WAF evaluated, every rule that fired, and every block action taken. Continuous monitoring of this log for anomalies (rule spike, new geo or IP pattern, unusual User-Agent) is the WAF's contribution to the assume-breach detection posture.