azure-cli: Unable to update Capacity units on the Application Gateway when using WAF Policy
Describe the bug
After creating a WAF Policy and creating an Application Gateway, it’s not possible to update the Capacity units anymore. Trying to update the Capacity in Azure Portal gives an error.
Command Name
az network application-gateway create
Errors: Failed to save configuration changes to application gateway ‘application-gateway-some-name’. Error: WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy <resource here>'>application-gateway-waf-policy associated with it.
To Reproduce:
az network application-gateway waf-policy create
az network application-gateway waf-policy policy-setting update
az network application-gateway create -g {} -l {} -n {} --vnet-name {} --subnet {} --public-ip-address {} --frontend-port {} --sku {} --min-capacity {} --max-capacity {} --http2 {} --zones {} {} {} --waf-policy {}
- Now, try to change the capacity in Azure Portal.
Expected Behavior
The capacity updated as normal without a WAF policy.
Environment Summary
Windows-10-10.0.19041-SP0
Python 3.6.8
Installer: MSI
azure-cli 2.10.1 *
Additional Context
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 2
- Comments: 28 (5 by maintainers)
We found a fix, our issue was we had both WAF config and WAF policy configured on the app gateway. We had WAF Config before and we moved to policy long back but somehow WAF config was still there even though it won’t show on UI. I guess there was a recent change on the app gateway to add more validation if there are both configured it won’t allow changes.
We were able to remove the config with the following commands and after that, it started working.
Same as @marlowp here and used his CLI command to fix it; however got an error on the rule-set version not allowed to be Null, so had to supply the parameters: --enabled false --rule-set-type OWASP --rule-set-version 3.2
But worked like a charm; so that took away a bit of the irritation that this suddenly popped up and no way to fix it from the portal itself…
Our AppGw is running in West-Europe btw…
Thanks for raising this issue. We are aware of the API issue that was recently introduced. We are working on rolling out the fix. The issue can occur when you use API to update the config to policy. If you’re using migration script or Firewall Manager integration, you will also encounter this issue.
Meanwhile, the workaround is to nullify the WAF config object post upgrade. Thanks for your patience.
$SubscriptionId = ‘’ $ResourceGroupName = ‘’ $GatewayName = ‘’ Connect-AzAccount -Subscription $SubscriptionId $AppGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName $AppGw.webApplicationFirewallConfiguration = $null Set-AzApplicationGateway -ApplicationGateway $AppGw
We are pleased to announce this issue is now resolved and should no longer be observed. Appreciate you all for raising the issue and your patience while we have rolled out a fix.
#please-close
I managed to reproduce this from the Azure portal in West Europe region. Attempting to update the fixed capacity produces this
ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy
error: