azure-cli: Unable to update Capacity units on the Application Gateway when using WAF Policy

Describe the bug

After creating a WAF Policy and creating an Application Gateway, it’s not possible to update the Capacity units anymore. Trying to update the Capacity in Azure Portal gives an error.

Command Name az network application-gateway create

Errors: Failed to save configuration changes to application gateway ‘application-gateway-some-name’. Error: WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy <resource here>'>application-gateway-waf-policy associated with it.

To Reproduce:

  • az network application-gateway waf-policy create
  • az network application-gateway waf-policy policy-setting update
  • az network application-gateway create -g {} -l {} -n {} --vnet-name {} --subnet {} --public-ip-address {} --frontend-port {} --sku {} --min-capacity {} --max-capacity {} --http2 {} --zones {} {} {} --waf-policy {}
  • Now, try to change the capacity in Azure Portal.

Expected Behavior

The capacity updated as normal without a WAF policy.

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.10.1 *

Additional Context

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 28 (5 by maintainers)

Most upvoted comments

We found a fix, our issue was we had both WAF config and WAF policy configured on the app gateway. We had WAF Config before and we moved to policy long back but somehow WAF config was still there even though it won’t show on UI. I guess there was a recent change on the app gateway to add more validation if there are both configured it won’t allow changes.

We were able to remove the config with the following commands and after that, it started working.

$SubscriptionId = sub ID $ResourceGroupName = ResourceGroup $GatewayName = AppGWName Connect-AzAccount -Subscription $SubscriptionId $AppGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName $AppGw.webApplicationFirewallConfiguration = $null Set-AzApplicationGateway -ApplicationGateway $AppGw

Same as @marlowp here and used his CLI command to fix it; however got an error on the rule-set version not allowed to be Null, so had to supply the parameters: --enabled false --rule-set-type OWASP --rule-set-version 3.2

But worked like a charm; so that took away a bit of the irritation that this suddenly popped up and no way to fix it from the portal itself…

Our AppGw is running in West-Europe btw…

Thanks for raising this issue. We are aware of the API issue that was recently introduced. We are working on rolling out the fix. The issue can occur when you use API to update the config to policy. If you’re using migration script or Firewall Manager integration, you will also encounter this issue.

Meanwhile, the workaround is to nullify the WAF config object post upgrade. Thanks for your patience.

$SubscriptionId = ‘’ $ResourceGroupName = ‘’ $GatewayName = ‘’ Connect-AzAccount -Subscription $SubscriptionId $AppGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName $AppGw.webApplicationFirewallConfiguration = $null Set-AzApplicationGateway -ApplicationGateway $AppGw

We are pleased to announce this issue is now resolved and should no longer be observed. Appreciate you all for raising the issue and your patience while we have rolled out a fix.

#please-close

I managed to reproduce this from the Azure portal in West Europe region. Attempting to update the fixed capacity produces this ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy error:

WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy /subscriptions/[REDACTED]/resourceGroups/[REDACTED]/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/[REDACTED] associated with it.