After enabling a managed WAF rule set, a healthcare portal looked healthier in the vendor dashboard — fewer suspicious requests — but synthetic monitors started failing from external locations.
The false lead
Operations assumed the app was down and rolled back the last deployment. Production pods were fine; only edge traffic from the monitoring SaaS was getting HTTP 403 responses.
The actual cause
Health-check URLs contained query strings that matched a generic SQLi signature. Internal probes from the VPC bypassed the WAF; external monitors did not. Alerts fired only when the outside-in path broke.
The fix
A narrow allow rule for the monitor source IPs, placed before the broad managed set, plus a rewritten health path without suspicious patterns. No new appliances required.
Takeaway: security controls need the same traffic map as everything else — including who is allowed to ask "are you alive?"