diff --git a/terraform/deployments/with-web-application-firewall/README.md b/terraform/deployments/with-web-application-firewall/README.md
new file mode 100644
index 0000000..95ab224
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/README.md
@@ -0,0 +1,19 @@
+# Manage an NGINXaaS for Azure deployment.
+
+### Usage
+
+The code in this directory can be used to managed an **NGINXaaS for Azure deployment**.
+
+To create a deployment, run the following commands:
+
+```shell
+terraform init
+terraform plan
+terraform apply --auto-approve
+```
+
+Once the deployment is no longer needed, run the following to clean up the deployment and related resources:
+
+```shell
+terraform destroy --auto-approve
+```
diff --git a/terraform/deployments/with-web-application-firewall/main.tf b/terraform/deployments/with-web-application-firewall/main.tf
new file mode 100644
index 0000000..3d9469d
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/main.tf
@@ -0,0 +1,94 @@
+terraform {
+  required_version = "~> 1.3"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.97"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  subscription_id = "ee920d60-90f3-4a92-b5e7-bb284c3a6ce2"
+}
+
+module "prerequisites" {
+  source   = "../../prerequisites"
+  location = var.location
+  name     = var.name
+  tags     = var.tags
+}
+
+resource "azurerm_nginx_deployment" "example" {
+  name                      = var.name
+  resource_group_name       = module.prerequisites.resource_group_name
+  sku                       = var.sku
+  location                  = var.location
+  capacity                  = 20
+  automatic_upgrade_channel = "stable"
+  diagnose_support_enabled  = true
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [module.prerequisites.managed_identity_id]
+  }
+  frontend_public {
+    ip_address = [module.prerequisites.public_ip_address_id]
+  }
+  network_interface {
+    subnet_id = module.prerequisites.subnet_id
+  }
+  web_application_firewall {
+    activation_state = "Enabled"
+  }
+  tags = var.tags
+}
+
+resource "azurerm_nginx_configuration" "example-config" {
+  nginx_deployment_id = azurerm_nginx_deployment.example.id
+  root_file           = "/etc/nginx/nginx.conf"
+
+  config_file {
+    content = base64encode(<<-EOT
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 8192;
+pid /run/nginx/nginx.pid;
+
+load_module modules/ngx_http_app_protect_module.so;
+
+events {
+    worker_connections 4000;
+}
+
+error_log /var/log/nginx/error.log error;
+
+http {
+    app_protect_enforcer_address 127.0.0.1:50000;
+
+    server {
+        listen 80 default_server;
+
+        location / {
+            app_protect_enable on;
+            app_protect_policy_file /etc/app_protect/conf/NginxDefaultPolicy.tgz;
+            proxy_pass http://127.0.0.1:80/proxy/$request_uri;
+        }
+
+        location /proxy {
+            default_type text/html;
+            return 200 "Hello World\n";
+        }
+    }
+}
+EOT
+    )
+    virtual_path = "/etc/nginx/nginx.conf"
+  }
+}
+
+resource "azurerm_role_assignment" "example" {
+  scope                = azurerm_nginx_deployment.example.id
+  role_definition_name = "Monitoring Metrics Publisher"
+  principal_id         = module.prerequisites.managed_identity_principal_id
+}
diff --git a/terraform/deployments/with-web-application-firewall/output.tf b/terraform/deployments/with-web-application-firewall/output.tf
new file mode 100644
index 0000000..0bba470
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/output.tf
@@ -0,0 +1,9 @@
+output "ip_address" {
+  description = "IP address of NGINXaaS deployment."
+  value       = azurerm_nginx_deployment.example.ip_address
+}
+
+output "waf_status" {
+  description = "waf status of NGINXaaS deployment."
+  value       = azurerm_nginx_deployment.example.web_application_firewall[0].status
+}
\ No newline at end of file
diff --git a/terraform/deployments/with-web-application-firewall/variables.tf b/terraform/deployments/with-web-application-firewall/variables.tf
new file mode 100644
index 0000000..be81ffa
--- /dev/null
+++ b/terraform/deployments/with-web-application-firewall/variables.tf
@@ -0,0 +1,22 @@
+variable "location" {
+  description = "Azure location name for NGINXaaS deployment."
+  default     = "eastus2"
+}
+
+variable "name" {
+  description = "Name of NGINXaaS deployment and related resources."
+  default     = "example-nginx"
+}
+
+variable "sku" {
+  description = "SKU of NGINXaaS deployment."
+  default     = "standardv2_Monthly"
+}
+
+variable "tags" {
+  description = "Tags for NGINXaaS deployment and related resources."
+  type        = map(any)
+  default = {
+    env = "Production"
+  }
+}