Q. What is the Azure Web Application Firewall (WAF)?
A. Azure has long had its layer 7 Application Gateway solution and this has been enhanced with an optional Web Application Firewall (WAF) capability that integrates with the Load Balancer and as the name suggests provides WAF solution. By default WAF implements CRS 3.0 however 2.2.9 is also available if required. The 3.0 rule set has 13 rule groups however rule groups can be disabled on an individual basis if required (for example if the rule is blocking traffic that you need to be allowed). WAF can run in detection mode (which will not stopp attacks but log it) or prevention mode (which will provide the actual protection).
An existing Application Gateway instance can be switched to add the WAF functionality by changing its tier from Basic Application Gateway (Standard) to WAF Application Gateway (WAF). A new instance can be created with either tier. There is a price difference between Standard and WAF tier which is documented at https://azure.microsoft.com/en-us/pricing/details/application-gateway. For details on the rules see https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview and https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project.