If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the HOW-TO guide for this particular deployment.

CloudGuard WAF can be deployed as either a single virtual machine or a Scale-Set in Azure. It acts as a reverse proxy where before / after you can deploy Azure Load Balancers:

Make sure you obtain the <token> from the Enforcement Profile page, Authentication section. You will need it in during agent deployment.


Follow these steps to deploy CloudGuard WAF in Azure using an ARM Template:

Step 1: Azure Log in

Log in to to your Azure account.

Step 2: Verify required permissions

Verify that you have the required permissions:

Azure permissions


Purchase Resource

Validate Deployment


Update autoscale setting


Create or Update Virtual Machine Scale Set

Microsoft.KeyVault: Update Access Policy


Create or Update Public Ip Address

Create or Update Virtual Network

Create or Update Route Table

Create or Update Network Security Group

Create or Update Load Balancer


Update Storage Account Create

If deploying VMSS with a new Azure Key Vault:


Update Key Vault

Write Secret

Step 3: Deployment using ARM Template

You have two options to store certificates:

Store Certificates in AzureStore Certificates on Gateway

Last updated