Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,003 questions
How to associate WAF to an existing Application Gateway using REST API
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 94%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Ravalia Krutika Harishbhai
40
Reputation points
Hello team,
We have an existing application gateway, and I want to automate associating a WAF policy on this existing gateway. I am using Ansible URI module to achieve this, hence exploring API for WAF Association.
I want to achieve association using REST API for all 3 options - Application Gateway, HTTP Listener, Route Path.
For creating WAF and associating, I try below curl for associating HTTP Listener:
curl --location --request PUT 'https://management.azure.com/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/policyName?api-version=2023-05-01' \
--data '{
"location": "eastus",
"properties": {
"provisioningState": "Succeeded",
"customRules": [],
"policySettings": {
"requestBodyCheck": true,
"maxRequestBodySizeInKb": 128,
"fileUploadLimitInMb": 100,
"state": "Enabled",
"mode": "Prevention",
"requestBodyInspectLimitInKB": 128,
"fileUploadEnforcement": true,
"requestBodyEnforcement": true
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "OWASP",
"ruleSetVersion": "3.2",
"ruleGroupOverrides": []
}
],
"exclusions": []
},
"httpListeners": [
{
"id": "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Network/applicationGateways/test-appgateway/httpListeners/test-listener"
}
]
}
}'
Similarly, I replace "httpListeners" with "applicationGateways" in the body to associate Application Gateway to WAF:
"applicationGateways": [
{
"id": "/subscriptions/subscriptionId/resourceGroups/resourceGroupId/providers/Microsoft.Network/applicationGateways/test-appgateway"
}
]
But none of it works. The association is not reflecting.
Kindly let me know if this is not the correct approach and I should follow different methods.
Thank you
Regards,
Krutika
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee2023-11-23T04:08:08.34+00:00 Thank you for reaching out. I am performing a lab for this scenario and will share an update soon. Meanwhile can you please confirm if your existing Application gateway
test-appgatewayis WAF_v2 SKU? Thank you! -
Ravalia Krutika Harishbhai 40 Reputation points
2023-11-23T04:41:33.3+00:00 yes it is WAF_v2.
Alternatively if I update application gateway with firewallPolicy using PUT call, it is now associatedcurl:
curl --location --request PUT 'https://management.azure.com/subscriptions/subId/resourceGroups/resourcegroupName/providers/Microsoft.Network/applicationGateways/test-gateway?api-version=2023-05-01' { "other details" "properties": { "all other details", "firewallPolicy": { "id": "/subscriptions/subId/resourceGroups/resourceGroupName/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/test-waf" } } } -
Ravalia Krutika Harishbhai 40 Reputation points
2023-11-23T04:43:06.82+00:00 association with
/ApplicationGatewayWebApplicationFirewallPoliciesendpoint doesnt work, association with/applicationGatewayswork -
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
2023-11-28T02:00:17.45+00:00 Thank you for getting back and apologies for the delay here.
If I understand it correctly you were able to associate the WAF policy to existing Application Gateway using /applicationGateways API. Were you able to associate it for all 3 options - Application Gateway, HTTP Listener, Route Path?
I think /applicationGateways API will be the correct way to achieve this association. Thank you!
Sign in to comment