How does OCI WAF integrate with load balancers?

OCI WAF can be attached to an OCI Load Balancer or Flexible Load Balancer as a WAF policy. When attached, all incoming traffic passes through the WAF for inspection before reaching your backend servers. The WAF operates at Layer 7 (HTTP/HTTPS) and can inspect headers, body content, query parameters, and cookies. For edge protection, you can also use WAF with the OCI Edge services for CDN-level protection.

Can I customize WAF rules beyond the predefined OWASP protections?

Yes. OCI WAF supports custom protection rules where you define matching conditions (headers, URLs, query parameters, IP addresses, country codes) and actions (allow, block, detect-only). You can combine multiple conditions with AND/OR logic. Custom rules evaluate before predefined rules, letting you create allowlists for trusted traffic or block specific attack patterns unique to your application.

OCI WAF Policy Builder

IAM & SecurityOCI

Build OCI WAF protection rules, access control, and rate limiting configurations.

Last verified: May 2026

OCI WAF Policy Configuration

Display Name

Access Rule 1

Name

Action

Block Response Code

Criteria

Display name is required
Rule 1: Name is required
Rule 1, Criteria 1: Value is required

Generated WAF Policy JSON

Output will appear here...

See It in Action

Your team's e-commerce site has been getting hit with credential stuffing attacks — automated bots trying leaked username/password combos against /login. The builder generates a WAF policy: rate limit /login to 10 req/IP/min with CAPTCHA challenge above threshold, plus OWASP SQL injection + XSS rules in Block mode (after 1-week Detect validation), plus a bot management rule challenging User-Agent strings matching known credential-stuffing tools. Within hours of deploy, automated login attempts drop 95%+; legitimate users barely notice the rate limit because real humans don't try 10+ logins/minute.

What This Tool Does

Oracle Cloud Infrastructure Web Application Firewall (WAF) protects web applications from common exploits like SQL injection, cross-site scripting (XSS), and bot traffic by inspecting HTTP/HTTPS requests at the edge. WAF policies combine access control rules, rate limiting, protection rules mapped to OWASP categories, and custom rules with flexible matching conditions. This builder helps you configure WAF policies with protection rules, request rate limiting, access control lists, and bot management settings for OCI Load Balancer or Flexible Load Balancer deployments.

Technical Details

The builder constructs OCI WAF policy definitions with: access control rules (CIDR-based allow/deny), rate limiting rules (requests per IP per period, with action: block/challenge/allow), protection capabilities (preconfigured OWASP rule sets like SQL injection, XSS, command injection, with sensitivity levels), bot management rules (Good Bot Allow, Suspicious Bot Challenge, Bad Bot Block), and custom rules (with conditions on URL/headers/IP/country and actions). Output is generated as oci waf policy commands and Terraform oci_waf_web_app_firewall_policy resources.

Common Use Cases

1Building a WAF policy that blocks OWASP Top 10 attacks including SQL injection, XSS, and command injection for a public-facing application
2Configuring rate limiting rules to prevent API abuse by limiting requests per IP address per minute with custom response codes
3Creating geo-based access control rules that allow traffic only from specific countries and block known malicious IP ranges
4Setting up bot management rules that challenge suspected bots with CAPTCHA while allowing known good crawlers like Googlebot

Common Questions

How does OCI WAF integrate with load balancers?: OCI WAF can be attached to an OCI Load Balancer or Flexible Load Balancer as a WAF policy. When attached, all incoming traffic passes through the WAF for inspection before reaching your backend servers. The WAF operates at Layer 7 (HTTP/HTTPS) and can inspect headers, body content, query parameters, and cookies. For edge protection, you can also use WAF with the OCI Edge services for CDN-level protection.
Can I customize WAF rules beyond the predefined OWASP protections?: Yes. OCI WAF supports custom protection rules where you define matching conditions (headers, URLs, query parameters, IP addresses, country codes) and actions (allow, block, detect-only). You can combine multiple conditions with AND/OR logic. Custom rules evaluate before predefined rules, letting you create allowlists for trusted traffic or block specific attack patterns unique to your application.

Expert Tips

TIP

ALWAYS deploy WAF rules in Detect-only mode first. The OWASP rule sets generate false positives on legitimate traffic patterns specific to your app. Run for 1-2 weeks, review hits, build exception rules, THEN switch to Block mode. Going straight to Block guarantees blocking some legitimate users.

TIP

Custom rules with allowlist patterns evaluate BEFORE the OWASP rules — use this to whitelist known-good traffic patterns that the OWASP rules might falsely flag. For example, allow `/api/search` with single-quote characters in queries before SQLi rules block them.

TIP

Rate limiting in OCI WAF is per-IP-address by default. For APIs behind NAT or CDN where many users share an outbound IP, this can block legitimate users. Use the X-Forwarded-For header for true client IP detection in such scenarios — verify your CDN sets this correctly.

Related Learning Guides

OCI Security Best Practices24 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.