When the WAF Blocked the Monitoring It Was Supposed to Protect

After enabling a managed WAF rule set, a healthcare portal looked healthier in the vendor dashboard — fewer suspicious requests — but synthetic monitors started failing from external locations.

The false lead

Operations assumed the app was down and rolled back the last deployment. Production pods were fine; only edge traffic from the monitoring SaaS was getting HTTP 403 responses.

The actual cause

Health-check URLs contained query strings that matched a generic SQLi signature. Internal probes from the VPC bypassed the WAF; external monitors did not. Alerts fired only when the outside-in path broke.

The fix

A narrow allow rule for the monitor source IPs, placed before the broad managed set, plus a rewritten health path without suspicious patterns. No new appliances required.

Takeaway: security controls need the same traffic map as everything else — including who is allowed to ask "are you alive?"