How does OCI WAF integrate with load balancers?

OCI WAF can be attached to an OCI Load Balancer or Flexible Load Balancer as a WAF policy. When attached, all incoming traffic passes through the WAF for inspection before reaching your backend servers. The WAF operates at Layer 7 (HTTP/HTTPS) and can inspect headers, body content, query parameters, and cookies. For edge protection, you can also use WAF with the OCI Edge services for CDN-level protection.

Can I customize WAF rules beyond the predefined OWASP protections?

Yes. OCI WAF supports custom protection rules where you define matching conditions (headers, URLs, query parameters, IP addresses, country codes) and actions (allow, block, detect-only). You can combine multiple conditions with AND/OR logic. Custom rules evaluate before predefined rules, letting you create allowlists for trusted traffic or block specific attack patterns unique to your application.

OCI WAF Policy Builder

IAM & SecurityOCI

Build OCI WAF protection rules, access control, and rate limiting configurations.

OCI WAF Policy Configuration

Display Name

Access Rule 1

Name

Action

Block Response Code

Criteria

Display name is required
Rule 1: Name is required
Rule 1, Criteria 1: Value is required

Generated WAF Policy JSON

Output will appear here...

About This Tool

Oracle Cloud Infrastructure Web Application Firewall (WAF) protects web applications from common exploits like SQL injection, cross-site scripting (XSS), and bot traffic by inspecting HTTP/HTTPS requests at the edge. WAF policies combine access control rules, rate limiting, protection rules mapped to OWASP categories, and custom rules with flexible matching conditions. This builder helps you configure WAF policies with protection rules, request rate limiting, access control lists, and bot management settings for OCI Load Balancer or Flexible Load Balancer deployments.

When to Use This Tool

•Building a WAF policy that blocks OWASP Top 10 attacks including SQL injection, XSS, and command injection for a public-facing application
•Configuring rate limiting rules to prevent API abuse by limiting requests per IP address per minute with custom response codes
•Creating geo-based access control rules that allow traffic only from specific countries and block known malicious IP ranges
•Setting up bot management rules that challenge suspected bots with CAPTCHA while allowing known good crawlers like Googlebot

Frequently Asked Questions

How does OCI WAF integrate with load balancers?: OCI WAF can be attached to an OCI Load Balancer or Flexible Load Balancer as a WAF policy. When attached, all incoming traffic passes through the WAF for inspection before reaching your backend servers. The WAF operates at Layer 7 (HTTP/HTTPS) and can inspect headers, body content, query parameters, and cookies. For edge protection, you can also use WAF with the OCI Edge services for CDN-level protection.
Can I customize WAF rules beyond the predefined OWASP protections?: Yes. OCI WAF supports custom protection rules where you define matching conditions (headers, URLs, query parameters, IP addresses, country codes) and actions (allow, block, detect-only). You can combine multiple conditions with AND/OR logic. Custom rules evaluate before predefined rules, letting you create allowlists for trusted traffic or block specific attack patterns unique to your application.

Related Learning Guides

OCI Security Best Practices24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.