Migrate to Application Gateway WAF policy

March 21, 2025 ยท View on GitHub

SYNOPSIS

Migrate to Application Gateway WAF policy.

DESCRIPTION

Application Gateway V2 supports two configuration modes for WAF:

  • Define and reference an WAF policy that can be reused across multiple Application Gateways.
  • Specify the WAF configuration tied directly a specific Application Gateway. This is done by setting the properties.webApplicationFirewallConfiguration property.

Setting the Application Gateway WAF configuration is depreciated and will be retired on 15 March 2027.

RECOMMENDATION

Consider upgrading Application Gateway to use WAF v2 referencing a WAF policy.

EXAMPLES

Configure with Azure template

To deploy Application Gateways that pass this rule:

  • Deploy an Application Gateway with the WAF_v2 SKU.
  • Migrate any WAF configuration from properties.webApplicationFirewallConfiguration to a separate WAF policy.
  • Set the properties.firewallPolicy.id property to reference the WAF policy resource by ID.

For example:

{
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2024-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "properties": {
    "sku": {
      "name": "WAF_v2",
      "tier": "WAF_v2"
    },
    "sslPolicy": {
      "policyType": "Custom",
      "minProtocolVersion": "TLSv1_2",
      "cipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      ]
    },
    "autoscaleConfiguration": {
      "minCapacity": 2,
      "maxCapacity": 3
    },
    "firewallPolicy": {
      "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', 'agwwaf')]"
  ]
}

Configure with Bicep

To deploy Application Gateways that pass this rule:

  • Deploy an Application Gateway with the WAF_v2 SKU.
  • Migrate any WAF configuration from properties.webApplicationFirewallConfiguration to a separate WAF policy.
  • Set the properties.firewallPolicy.id property to reference the WAF policy resource by ID.

For example:

resource appgw 'Microsoft.Network/applicationGateways@2024-01-01' = {
  name: name
  location: location
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    sslPolicy: {
      policyType: 'Custom'
      minProtocolVersion: 'TLSv1_2'
      cipherSuites: [
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
      ]
    }
    autoscaleConfiguration: {
      minCapacity: 2
      maxCapacity: 3
    }
    firewallPolicy: {
      id: waf.id
    }
  }
}