Skip to content

Migrate to Application Gateway WAF policy#

Reliability · Application Gateway · Rule · 2024_06 · Critical

Migrate to Application Gateway WAF policy.

Description#

Application Gateway V2 supports two configuration modes for WAF:

  • Define and reference an WAF policy that can be reused across multiple Application Gateways.
  • Specify the WAF configuration tied directly a specific Application Gateway. This is done by setting the properties.webApplicationFirewallConfiguration property.

Setting the Application Gateway WAF configuration is depreciated and will be retired on 15 March 2027.

Recommendation#

Consider upgrading Application Gateway to use WAF v2 referencing a WAF policy.

Examples#

Configure with Azure template#

To deploy Application Gateways that pass this rule:

  • Deploy an Application Gateway with the WAF_v2 SKU.
  • Migrate any WAF configuration from properties.webApplicationFirewallConfiguration to a separate WAF policy.
  • Set the properties.firewallPolicy.id property to reference the WAF policy resource by ID.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2024-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "properties": {
    "sku": {
      "name": "WAF_v2",
      "tier": "WAF_v2"
    },
    "sslPolicy": {
      "policyType": "Custom",
      "minProtocolVersion": "TLSv1_2",
      "cipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      ]
    },
    "autoscaleConfiguration": {
      "minCapacity": 2,
      "maxCapacity": 3
    },
    "firewallPolicy": {
      "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
  ]
}

Configure with Bicep#

To deploy Application Gateways that pass this rule:

  • Deploy an Application Gateway with the WAF_v2 SKU.
  • Migrate any WAF configuration from properties.webApplicationFirewallConfiguration to a separate WAF policy.
  • Set the properties.firewallPolicy.id property to reference the WAF policy resource by ID.

For example:

Azure Bicep snippet
resource appgw 'Microsoft.Network/applicationGateways@2024-01-01' = {
  name: name
  location: location
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    sslPolicy: {
      policyType: 'Custom'
      minProtocolVersion: 'TLSv1_2'
      cipherSuites: [
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
      ]
    }
    autoscaleConfiguration: {
      minCapacity: 2
      maxCapacity: 3
    }
    firewallPolicy: {
      id: waf.id
    }
  }
}

Comments