Cannot associate an Azure WAF policy to regional Azure Application Gateway (v2)

Since App Gateway v2, one can enable the new WAF policies that will allow more basic tweaking of the Rules/Setting of WAF for instance: exclusions, custom roles, multiple ruleset and more – yet still a basic WAF, still an OK pricing too thought.

Anyhow, the idea is that you create an App Gateway with WAF, by default, it only comes with a v1 policy, associating a WAF policy to the App Gateway will then only upgrade it to v2 – the policy not the App Gateway itself, as it does need to be v2 itself…

And so, I was facing some issues as trying to pre-configure everything in a WAF policy then associate it to an App Gateway but it would fail as the deployment spits out:

{‘code’:’DeploymentFailed’,’message’:’At least one resource deployment operation failed. Please list deployment operations for details. Please see for usage details.’,’details’:[{‘code’:’BadRequest’,’message’:'{\r\n \’error\’: {\r\n \’code\’: \’ApplicationGatewayWafPolicyCannotBeAttachedDueToConflict\’,\r\n \’message\’: \’Cannot attach Firewall policy /subscriptions/yourID/resourceGroups/yourRG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/WAFpolicy1 to the Application Gateway /subscriptions/yourID/resourceGroups/sameRG/providers/Microsoft.Network/applicationGateways/webgw1, since the former is not in sync with WebApplicationFirewallConfiguration.\’,\r\n \’details\’: []\r\n }\r\n}’}]}

the error

By mismatch, it really wanted to tell you that the Azure WAF policy and the App Gateway WAF policy don’t match. Checking the error (since the former is not in sync with WebApplicationFirewallConfiguration)…You have to take into consideration the following:

When adding a Waf policy, it must match the exact configuration of his App gateway currently (or the currently attached waf policy if replacing). Once you have a Policy associated with your Application Gateway, then you can continue to make changes to your WAF rules and settings.

This means the policy must contain the exact same settings that are currently applied to the gateway. Same

Custom Rules
-Waf configuration (it is very important to check owasp set and disabled rules must be identical)
-Global Parameters if applied

Hoping this helps…

#appgw, #application-gateway, #azure, #policy