diff --git a/docs/annotations.md b/docs/annotations.md
index 7ac140695..bf95db7da 100644
--- a/docs/annotations.md
+++ b/docs/annotations.md
@@ -18,6 +18,7 @@ For an Ingress resource to be observed by AGIC it **must be annotated** with `ku
 | [appgw.ingress.kubernetes.io/request-timeout](#request-timeout) | `int32` (seconds) | `30` | |
 | [appgw.ingress.kubernetes.io/use-private-ip](#use-private-ip) | `bool` | `false` | |
 | [appgw.ingress.kubernetes.io/backend-protocol](#backend-protocol) | `string` | `http` | `http`, `https` |
+| [appgw.ingress.kubernetes.io/waf-policy-for-path](#azure-waf-policy-for-path) | `string` |   |   |
 
 ## Backend Path Prefix
 
@@ -253,4 +254,52 @@ spec:
         backend:
           serviceName: go-server-service
           servicePort: 443
-```
\ No newline at end of file
+```
+
+## Attach firewall policy to a host and path
+This annotation allows you to attach an already created WAF policy to the list paths for a host within a Kubernetes
+Ingress resource being annotated.
+
+The WAF policy must be created in advance. Example of using [Azure Portal](https://portal.azure.com/) to create a policy:
+![Creating a WAF policy](./images/waf-policy.png)
+
+Once the policy is created, copy the URI of the policy from the address bar of Azure Portal:
+![Creating a WAF policy](./images/waf-policy-1.png)
+
+The URI would have the following format:
+```bash
+/subscriptions/<YOUR-SUBSCRIPTION>/resourceGroups/<YOUR-RESOURCE-GROUP>/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/<YOUR-POLICY-NAME>
+```
+
+### Usage
+
+```yaml
+appgw.ingress.kubernetes.io/waf-policy-for-path: "/subscriptions/abcd/resourceGroups/rg/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/adserver"
+```
+
+### Example
+The example below will apply the WAF policy 
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: ad-server-ingress
+  namespace: commerce
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+    appgw.ingress.kubernetes.io/waf-policy-for-path: "/subscriptions/abcd/resourceGroups/rg/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/adserver"
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /ad-server
+        backend:
+          serviceName: ad-server
+          servicePort: 80
+          
+      - path: /auth
+        backend:
+          serviceName: auth-server
+          servicePort: 80
+```
+Note that the WAF policy will be applied to both `/ad-server` and `/auth` URLs.
\ No newline at end of file
diff --git a/docs/images/waf-policy-1.png b/docs/images/waf-policy-1.png
new file mode 100644
index 000000000..7ebb4e37b
Binary files /dev/null and b/docs/images/waf-policy-1.png differ
diff --git a/docs/images/waf-policy.png b/docs/images/waf-policy.png
new file mode 100644
index 000000000..9b98afc0e
Binary files /dev/null and b/docs/images/waf-policy.png differ