Azure WAF is a web application firewall that helps protect web applications from common threats such as SQL injection, cross-site scripting, and other web exploits.
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. Multiple WAF policies can be associated with an Application Gateway. After that the web request gets passed from the policies in Application gateway then to the server.