We can create an Application Gateway with a web application firewall (WAF) feature using Azure Portal. The WAF uses rules from the Open Web Application Security Project (OWASP) core rule sets to protect your application. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.
You can see how the Application Gateway works in the following schema. It provides URL Path-Based Routing, which allows us to route traffic to the backend server pools based on the URL paths of the request.