Azure – Remove WAF policy on Azure Gateway

azureazure-networking

On Azure, I need to disassociate an existing WAF policy that is tied to an Azure Application Gateway but cannot find a way.

I've created a new WAF policy and associated it with my Azure Application Gateway. I do not like the way it is configured and would now like to remove it but it gives me an error message saying

Failed to delete the WAF policy 'wafpolicyNew'. Error: Firewall Policy
can not be deleted since it is still allocated to resource subscriptions/75d2e0ac-xxxxx450c0a6fc/resourceGroups/xxx/providers/Microsoft.Network/applicationGateways/mygateway

Is there any way I can disassociate the policy from my Application Gateway?

I've tried using Powershell

$appGw = Get-AzApplicationGateway -Name "mygateway"
$appGw.FirewallPolicy = $null
Set-AzApplicationGateway -ApplicationGateway $appGw

But I get another error message saying

cannot be removed from Application Gateway, changing from one firewall
policy to another is permitted

and also tried using the Portal to look for a disassociate button but none to be found.

Best Answer

WAF policies can be deleted from an application gateway by using the Azure CLI.

Stop the application gateway.

 az network application-gateway stop -g MyResourceGroup -n MyAppGateway

Remove the policy

 az network application-gateway waf-policy delete --name MyApplicationGatewayWAFPolicy --resource-group MyResourceGroup

Related Solutions

Azure – How to change the subnet of a secondary NIC in Azure

I had create a VM with two NICs, NIC01(10.0.1.0/24) and NIC02(10.0.2.0/24), then I use powershell to set the azure network interface, here is my script, after the script complete, the NIC01 change to 10.0.3.0/24. It works for me.

$NICname = nic01
$RGname = jason
$NIC = Get-AzureRmNetworkInterface -Name $NICname -ResourceGroupName $RGname
$NIC.IpConfigurations[0].PrivateIpAddress 
$VNET = Get-AzureRmVirtualNetwork -Name $VNETname  -ResourceGroupName $RGname
$Subnet2 = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNET -Name subnet03
$NIC.IpConfigurations[0].Subnet.Id = $Subnet2.Id
Set-AzureRmNetworkInterface -NetworkInterface $NIC

And here is the result:

Azure SSL Application Gateway with Web APPS

here is the script MS Support worked with me on to make this work

# FQDN of the web app
$webappFQDN = "XXX.XXXXX.com"  

# Retrieve an existing application gateway
$gw = Get-AzureRmApplicationGateway -Name "XXXX" -ResourceGroupName "XXXX"

# Define the status codes to match for the probe
$match=New-AzureRmApplicationGatewayProbeHealthResponseMatch -StatusCode 200-399

# Add a new probe to the application gateway
Add-AzureRmApplicationGatewayProbeConfig -name webappprobe-1 -ApplicationGateway $gw -Protocol Https -Path / -Interval 30 -Timeout 120 -UnhealthyThreshold 3 -PickHostNameFromBackendHttpSettings -Match $match

# Retrieve the newly added probe
$probe = Get-AzureRmApplicationGatewayProbeConfig -name webappprobe-1 -ApplicationGateway $gw

# Configure an existing backend http settings 

Set-AzureRmApplicationGatewayBackendHttpSettings -Name appGatewayBackendHttpSettings -ApplicationGateway $gw -PickHostNameFromBackendAddress -Port 443 -Protocol https -CookieBasedAffinity Disabled -RequestTimeout 30 -Probe $probe

Exclude these 2 lines
#$authcert = New-AzureRmApplicationGatewayAuthenticationCertificate -Name whitelistcert1 -CertificateFile C:\XXXX\XXXX.cer

#Set-AzureRmApplicationGatewayBackendHttpSettings -Name appGatewayBackendHttpSettings -ApplicationGateway $gw  -PickHostNameFromBackendAddress -Port 443 -Protocol Https -CookieBasedAffinity Enabled -AuthenticationCertificates $authcert

# Add the web app to the backend pool
Set-AzureRmApplicationGatewayBackendAddressPool -Name appGatewayBackendPool -ApplicationGateway $gw -BackendFqdns $webappFQDN

# Update the application gateway
Set-AzureRmApplicationGateway -ApplicationGateway $gw

Related Topic