Skip to main content
Back to the Azure Footguns Database
CostGovernanceLowOccasionalAZF-0020

A Front Door WAF policy attached to no profile protects nothing and still bills

A Front Door WAF policy only inspects traffic it is linked to. With no security-policy or endpoint links it protects nothing, but it keeps billing its per-policy rate.

Footgun ID
AZF-0020 (Azure Footgun No. 20)
Azure service
Azure Front Door
Resource type
Microsoft.Network/frontDoorWebApplicationFirewallPolicies
Updated
July 1, 2026

What it is

A Front Door WAF policy (Microsoft.Network/frontDoorWebApplicationFirewallPolicies) that is not attached to any Front Door profile. A WAF policy only inspects the traffic of the security policies or frontend endpoints linked to it, so a policy with neither link filters nothing. It still bills a per-policy monthly rate for as long as it exists.

Impact (cost)
~$5-$20/month per policy at list price (classic Front Door WAF) while attached to nothing
Basis: Azure list price. Figures are estimates, not measurements.

Why it happens

A WAF policy and the Front Door profile it protects are separate resources. The policy carries the managed rule sets and custom rules; the profile references the policy through a security-policy link (Standard/Premium) or a frontend-endpoint link (Classic). Delete or rebuild the Front Door profile and the policy is left behind with both link collections empty, still holding its rules but wired to nothing.

Azure does not warn you that a policy has stopped protecting anything. The resource is valid, its rules are intact, and it looks exactly like a working WAF in the portal. Only the missing links tell you it is inert, and nobody checks link collections during a cost review.

What it costs / blast radius

On the classic Front Door tier a WAF policy carries its own per-policy fee, roughly $5 to $20/month at list price depending on rule configuration, billed whether or not it is attached to a profile. (List price; your contract may differ.) Front Door Standard and Premium bundle WAF differently, with managed rule sets included in Premium rather than charged as a standalone per-policy line, so it is the classic tier where an orphaned policy keeps billing while attached to nothing. The cost is modest per policy, but there is a second, quieter problem that applies on any tier: an orphaned WAF policy reads as protection that isn't there. Someone reviewing the environment sees a WAF and assumes the front door is covered, when the policy inspects zero requests. Delete it or re-link it, but do not leave it looking like a control it no longer is.

See it

Find them: WAF policies with no security-policy or endpoint links
Resources
| where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies'
| extend secLinks = array_length(properties.securityPolicyLinks)
| extend feLinks  = array_length(properties.frontendEndpointLinks)
| where (isnull(secLinks) or secLinks == 0)
    and (isnull(feLinks) or feLinks == 0)
| project name, resourceGroup, subscriptionId
Fix: re-attach the policy to a profile, or delete it
// If a Front Door should be using it, re-attach it. Otherwise remove it
// so it stops billing and stops looking like protection that isn't there.
az network front-door waf-policy delete \
  --name corpWafPolicy \
  --resource-group rg-edge

How StratoLens helps

StratoLens checks every subscription for Front Door WAF policies with no live profile association and surfaces them with their per-policy cost, so an inert policy can't sit on the bill or masquerade as active protection. The check runs continuously; you don't have to remember it exists.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.