Inactive Web Application Firewall (WAF)

Balazs Engedi

Service Category

Networking

Cloud Provider

Azure

Service Name

Azure WAF

Inefficiency Type

Unused Resource

Explanation

Azure WAF configurations attached to Application Gateways can persist after their backend pool resources have been removed — often during environment reconfiguration or application decommissioning. In these cases, the WAF is no longer serving any functional purpose but continues to incur fixed hourly costs. Because no traffic is routed and no applications are protected, the WAF is effectively inactive. These orphaned WAFs are easy to overlook without regular cleanup processes and can quietly accumulate unnecessary charges over time.

Relevant Billing Model

Azure WAF on Application Gateway is billed based on:

Per-hour instance charges — incurred regardless of traffic volume
Data processing charges — based on traffic inspected, only applicable when the WAF is actively routing requests

A WAF remains billable as long as it is provisioned, even if there are no active backend pool resources or traffic flowing through it.

Detection

Identify WAF-enabled Application Gateways with no associated backend pool targets
Review traffic metrics or diagnostic logs to confirm that no requests are being processed
Validate that the WAF is not in use by other services such as Front Door or CDN endpoints
Consult with application teams to determine whether the WAF is still needed for future use

Remediation

Delete WAF configurations that are no longer routing traffic or protecting active applications
Establish periodic audits to flag and review WAFs with empty backend pools
Use automated checks to detect and alert on WAF deployments with no active use

Relevant Documentation