I run a number of App Service MVC Asp.Net web applications. I think it would be a good idea to add a WAF to the front the App Service website to enable OWASP protection as well as more visibility on suspicious attacks. Also I would want this to be linked into Azure Security Centre.

As far as I can see this is not a problem with VM websites, but with App Service websites I have seen SO comment (April 2017) about how this may not be supported. Although this information may be outdated now.

1) Am I just trying to replace existing threat detection features that is built into App Services, so adding a WAF is not required?

2) If required, is App Service WAFs supported, and especially linked to Azure Security Centre.

3) If required and possible, then any pointers please?

By the way, I have considered the use of Cloudflare as a WAF wrapper around Azure which looks interesting, but intitially wanted to check out Azure functionality to start with.

Thanks.

1) WAF is supported and recommended even for App Service because it will improve your security capabilities while also providing you with more control and real-time monitoring.

Configure App Service Web Apps with Application Gateway

2) Yes to both. See here:

Azure Security Center and Microsoft Web Application Firewall Integration

3) See above links :)