Migrate to Application Gateway WAF policy#
Reliability · Application Gateway · Rule · 2024_06 · Critical
Migrate to Application Gateway WAF policy.
Description#
Application Gateway V2 supports two configuration modes for WAF:
- Define and reference an WAF policy that can be reused across multiple Application Gateways.
- Specify the WAF configuration tied directly a specific Application Gateway.
This is done by setting the
properties.webApplicationFirewallConfigurationproperty.
Setting the Application Gateway WAF configuration is depreciated and will be retired on 15 March 2027.
Recommendation#
Consider upgrading Application Gateway to use WAF v2 referencing a WAF policy.
Examples#
Configure with Azure template#
To deploy Application Gateways that pass this rule:
- Deploy an Application Gateway with the
WAF_v2SKU. - Migrate any WAF configuration from
properties.webApplicationFirewallConfigurationto a separate WAF policy. - Set the
properties.firewallPolicy.idproperty to reference the WAF policy resource by ID.
For example:
Azure Template snippet
{
"name": "[parameters('name')]",
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2023-11-01",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"firewallPolicy": {
"id": "[parameters('firewallPolicyId')]"
}
}
}
Configure with Bicep#
To deploy Application Gateways that pass this rule:
- Deploy an Application Gateway with the
WAF_v2SKU. - Migrate any WAF configuration from
properties.webApplicationFirewallConfigurationto a separate WAF policy. - Set the
properties.firewallPolicy.idproperty to reference the WAF policy resource by ID.
For example:
Azure Bicep snippet
resource agw 'Microsoft.Network/applicationGateways@2023-11-01' = {
name: name
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
firewallPolicy: {
id: firewallPolicyId
}
}
}
Links#
- RE:04 Target metrics
- Retirement: Support for Application Gateway Web Application Firewall v2 Configuration is ending
- Upgrade WAF v2 with legacy WAF configuration to WAF policy
- Azure resource deployment