2

I have a working ARM Template to deploy an Application Gateway with WAF Enabled, this is currently always enabling the Firewall and setting the Firewall Mode based on parameters.

We want to parameterize enabling the WAF so that an AGW can be deployed without WAF

The object in the properties looks like:

"webApplicationFirewallConfiguration": {
                "enabled": "[parameters('applicationGateway').firewallEnabled]",
                "firewallMode": "[parameters('applicationGateway').firewallMode]",
                "ruleSetType": "OWASP",
                "ruleSetVersion": "3.0"
            }

The parameter file has these set:

                "firewallEnabled": false,
                "Tier": "Standard",
                "skuSize": "Standard_Medium",

However on deployment it errors out trying to enable the Firewall

New-AzResourceGroupDeployment : 11:28:27 AM - Error:
Code=ApplicationGatewayFirewallCannotBeEnabledForSelectedSku;
Message=Application Gateway 
/subscriptions//providers/Microsoft.Network/applicationGatewa
ys/EXAMPLE-AGW does not support WebApplicationFirewall with the
selected SKU tier Standard

It looks like it's still trying to enable the firewall even though the "enabled:" property would be false, I would assume it would ignore the rest of the properties in the object but obviously not. Can anyone see what I'm doing wrong here?

Clackers
  • 127
  • 1
  • 2
  • 7

2 Answers2

0

Not sure why this is happening, but you can always do this:

"variables": {
    "waffalse": {
        "enabled": false
    },
    "waftrue": {
        "enabled": true,
        "firewallMode": "[parameters('applicationGateway').firewallMode]",
        "ruleSetType": "OWASP",
        "ruleSetVersion": "3.0"
    }
}
...
"webApplicationFirewallConfiguration": "[variables(concat('waf', string(parameters('applicationGateway').firewallEnabled)))]"

so use one variable or the other depending on condition

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
0

Reason for Failure: As WebApplicationFirewall is not supported for Standard Tier AppGateway, the template VALIDATION will fail even if enabled is set to false as validation sees "webApplicationFirewallConfiguration" key itself as invalid for Standard Tier.

Fix: Use Nested Templates to create a child deployment of an Application Gateway template without "webApplicationFirewallConfiguration" if firewall is disabled, else the one with "webApplicationFirewallConfiguration" if firewall is enabled along with firewall mode value in the parameters file.

Working Sample: Please find below the root template for deployment along with two templates with firewall enabled and disabled as well. Then, it has two parameters file - one for firewall enabled and other for disabled one.

To try out this sample, follow the below steps:

  1. Upload the two Child templates in a Blob Storage.
  2. Make this Blob Container, where templates are uploaded, Public accessible or use SAS token while creating the template's url.
  3. Update the variables "appGatewaysTemplateWaffalse" and "appGatewaysTemplateWaftrue" in root template with urls of uploaded child templates.
  4. Go https://portal.azure.com/#create/Microsoft.Template -> "Build your own template in the editor".
  5. Use this updated root template with urls and the parameter file (enabled or disabled) as desired.

Root Template (VNet + Child Deployment):

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationGateway": {
      "type": "object",
      "metadata": {
        "description": "Application gateway specific information"
      }
    },
    "virtualNetworkName": {
      "type": "string",
      "metadata": {
        "description": "virtual network name"
      }
    },
    "vnetAddressPrefix": {
      "type": "string",
      "defaultValue": "10.0.0.0/16",
      "metadata": {
        "description": "virtual network address range"
      }
    },
    "subnetName": {
      "type": "string",
      "defaultValue": "subnet1",
      "metadata": {
        "description": "Subnet Name"
      }
    },
    "subnetPrefix": {
      "type": "string",
      "defaultValue": "10.0.0.0/24",
      "metadata": {
        "description": "Subnet prefix"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {
    "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]",
    "appGatewaysTemplateWaffalse": "https://da2.blob.core.windows.net/templates/app-gateway-waf-false.json",
    "appGatewaysTemplateWaftrue": "https://da2.blob.core.windows.net/templates/app-gateway-waf-true.json"
  },
  "resources": [
    {
      "apiVersion": "2015-06-15",
      "type": "Microsoft.Network/virtualNetworks",
      "name": "[parameters('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[parameters('vnetAddressPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "[parameters('subnetName')]",
            "properties": {
              "addressPrefix": "[parameters('subnetPrefix')]"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2015-01-01",
      "name": "azure-appGateways-non-waf-deployment",
      "dependsOn": [
        "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
      ],
      "properties": {
        "mode": "Incremental",
        "templateLink": {
          "uri": "[variables(concat('appGatewaysTemplateWaf',string(parameters('applicationGateway').firewallEnabled)))]"
        },
        "parameters": {
          "applicationGateway": {
            "value": "[parameters('applicationGateway')]"
          },
          "location": {
            "value": "[parameters('location')]"
          },
          "subnetRef": {
            "value": "[variables('subnetRef')]"
          }
        }
      }
    }
  ]
}

Child Template without webApplicationFirewallConfiguration:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationGateway": {
      "type": "object",
      "metadata": {
        "description": "Application gateway specific information"
      }
    },
    "subnetRef": {
      "type": "string",
      "defaultValue": "subnet id",
      "metadata": {
        "description": "Subnet Id"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {},
  "resources": [
    {
      "apiVersion": "2017-06-01",
      "name": "[parameters('applicationGateway').applicationGatewayName]",
      "type": "Microsoft.Network/applicationGateways",
      "location": "[parameters('location')]",
      "dependsOn": [],
      "properties": {
        "sku": {
          "name": "[parameters('applicationGateway').applicationGatewaySize]",
          "tier": "[parameters('applicationGateway').skuTier]",
          "capacity": "[parameters('applicationGateway').applicationGatewayInstanceCount]"
        },
        "gatewayIPConfigurations": [
          {
            "name": "appGatewayIpConfig",
            "properties": {
              "subnet": {
                "id": "[parameters('subnetRef')]"
              }
            }
          }
        ],
        "frontendIPConfigurations": [
          {
            "name": "appGatewayFrontendIP",
            "properties": {
              "subnet": {
                "id": "[parameters('subnetRef')]"
              }
            }
          }
        ],
        "frontendPorts": [
          {
            "name": "appGatewayFrontendPort",
            "properties": {
              "Port": "[parameters('applicationGateway').frontendPort]"
            }
          }
        ],
        "backendAddressPools": [
          {
            "name": "appGatewayBackendPool",
            "properties": {
              "BackendAddresses": "[parameters('applicationGateway').backendIPAddresses]"
            }
          }
        ],
        "backendHttpSettingsCollection": [
          {
            "name": "appGatewayBackendHttpSettings",
            "properties": {
              "Port": "[parameters('applicationGateway').backendPort]",
              "Protocol": "Http",
              "CookieBasedAffinity": "[parameters('applicationGateway').cookieBasedAffinity]"
            }
          }
        ],
        "httpListeners": [
          {
            "name": "appGatewayHttpListener",
            "properties": {
              "FrontendIpConfiguration": {
                "Id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/frontendIPConfigurations/appGatewayFrontendIP')]"
              },
              "FrontendPort": {
                "Id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/frontendPorts/appGatewayFrontendPort')]"
              },
              "Protocol": "Http",
              "SslCertificate": null
            }
          }
        ],
        "requestRoutingRules": [
          {
            "Name": "rule1",
            "properties": {
              "RuleType": "Basic",
              "httpListener": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/httpListeners/appGatewayHttpListener')]"
              },
              "backendAddressPool": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/backendAddressPools/appGatewayBackendPool')]"
              },
              "backendHttpSettings": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/backendHttpSettingsCollection/appGatewayBackendHttpSettings')]"
              }
            }
          }
        ]
      }
    }
  ]
}

Child Template with webApplicationFirewallConfiguration:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationGateway": {
      "type": "object",
      "metadata": {
        "description": "Application gateway specific information"
      }
    },
    "subnetRef": {
      "type": "string",
      "defaultValue": "subnet id",
      "metadata": {
        "description": "Subnet Id"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {},
  "resources": [
    {
      "apiVersion": "2017-06-01",
      "name": "[parameters('applicationGateway').applicationGatewayName]",
      "type": "Microsoft.Network/applicationGateways",
      "location": "[parameters('location')]",
      "dependsOn": [],
      "properties": {
        "sku": {
          "name": "[parameters('applicationGateway').applicationGatewaySize]",
          "tier": "[parameters('applicationGateway').skuTier]",
          "capacity": "[parameters('applicationGateway').applicationGatewayInstanceCount]"
        },
        "gatewayIPConfigurations": [
          {
            "name": "appGatewayIpConfig",
            "properties": {
              "subnet": {
                "id": "[parameters('subnetRef')]"
              }
            }
          }
        ],
        "frontendIPConfigurations": [
          {
            "name": "appGatewayFrontendIP",
            "properties": {
              "subnet": {
                "id": "[parameters('subnetRef')]"
              }
            }
          }
        ],
        "frontendPorts": [
          {
            "name": "appGatewayFrontendPort",
            "properties": {
              "Port": "[parameters('applicationGateway').frontendPort]"
            }
          }
        ],
        "backendAddressPools": [
          {
            "name": "appGatewayBackendPool",
            "properties": {
              "BackendAddresses": "[parameters('applicationGateway').backendIPAddresses]"
            }
          }
        ],
        "backendHttpSettingsCollection": [
          {
            "name": "appGatewayBackendHttpSettings",
            "properties": {
              "Port": "[parameters('applicationGateway').backendPort]",
              "Protocol": "Http",
              "CookieBasedAffinity": "[parameters('applicationGateway').cookieBasedAffinity]"
            }
          }
        ],
        "httpListeners": [
          {
            "name": "appGatewayHttpListener",
            "properties": {
              "FrontendIpConfiguration": {
                "Id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/frontendIPConfigurations/appGatewayFrontendIP')]"
              },
              "FrontendPort": {
                "Id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/frontendPorts/appGatewayFrontendPort')]"
              },
              "Protocol": "Http",
              "SslCertificate": null
            }
          }
        ],
        "webApplicationFirewallConfiguration": {
            "enabled": "[parameters('applicationGateway').firewallEnabled]",
            "firewallMode": "[parameters('applicationGateway').firewallMode]",
            "ruleSetType": "OWASP",
            "ruleSetVersion": "3.0"
        },
        "requestRoutingRules": [
          {
            "Name": "rule1",
            "properties": {
              "RuleType": "Basic",
              "httpListener": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/httpListeners/appGatewayHttpListener')]"
              },
              "backendAddressPool": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/backendAddressPools/appGatewayBackendPool')]"
              },
              "backendHttpSettings": {
                "id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('applicationGateway').applicationGatewayName), '/backendHttpSettingsCollection/appGatewayBackendHttpSettings')]"
              }
            }
          }
        ]
      }
    }
  ]
}

Parameters with firewall disabled:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationGateway": {
        "value": {
            "firewallEnabled": "false",
            "skuTier": "Standard",
            "applicationGatewayName": "yourappgateway",
            "applicationGatewaySize": "Standard_Small",
            "applicationGatewayInstanceCount": 1,
            "frontendPort": 80,
            "backendPort": 80,
            "backendIPAddresses": [
                {
                "IpAddress": "10.0.0.7"
                },
                {
                "IpAddress": "10.0.0.8"
                },
                {
                "IpAddress": "10.0.0.9"
                }
            ],
            "cookieBasedAffinity": "Disabled"
        }
    },
    "virtualNetworkName": {
      "value": "yourvnetname"
    },
    "vnetAddressPrefix": {
      "value": "10.0.0.0/16"
    },
    "subnetName": {
      "value": "yoursubnet"
    },
    "subnetPrefix": {
      "value": "10.0.0.0/24"
    }
  }
}

Parameters with firewall enabled:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationGateway": {
        "value": {
            "firewallEnabled": "true",
            "firewallMode": "Detection",
            "skuTier": "WAF",
            "applicationGatewayName": "yourappgateway",
            "applicationGatewaySize": "WAF_Medium",
            "applicationGatewayInstanceCount": 1,
            "frontendPort": 80,
            "backendPort": 80,
            "backendIPAddresses": [
                {
                "IpAddress": "10.0.0.7"
                },
                {
                "IpAddress": "10.0.0.8"
                },
                {
                "IpAddress": "10.0.0.9"
                }
            ],
            "cookieBasedAffinity": "Disabled"
        }
    },
    "virtualNetworkName": {
      "value": "yourvnetname"
    },
    "vnetAddressPrefix": {
      "value": "10.0.0.0/16"
    },
    "subnetName": {
      "value": "yoursubnet"
    },
    "subnetPrefix": {
      "value": "10.0.0.0/24"
    }
  }
}
deepak
  • 113
  • 8
  • Yeah realized that the Firewall Config block needs to not exist at all for a Standard AGW, thanks for that. We already have 2 child templates for PublicIP or noPublicIP which contains this webApplicationFirewallConfiguration block. Would the solution here to be removing the webApplicationFirewallConfiguration block from the Pub/noPub IP Templates and then creating 2 additional Child Templates with only the webApplicationFirewallConfiguration block if WAF enabled and an empty properties block if Standard and set the DependsOn for the IP child templates? – Clackers Mar 25 '19 at 03:40
  • Yes there will be 4 child templates in total for these cases - publiciptruewaffalse, publiciptruewaftrue, publicipfalsewaffalse,publicipfalsewaftrue – deepak Mar 25 '19 at 04:09
  • Suggestion- do not use multiple nesting as just a nested deployment creation adds ~3 mins to the overall deployment time. That's why I didn't suggest child templates creation from publicip child template, instead 4 parallel child templates which doesn't increase the nesting. – deepak Mar 25 '19 at 04:24
  • you dont need to complicate this further with nested templates, my answer is more concise and less error prone, nested doesnt add ~3 minutes to the deployment. where are you getting this from? – 4c74356b41 Mar 25 '19 at 08:12
  • @4c74356b41 The answer mentioned below of keeping the "webApplicationFirewallConfiguration" key within the template for Standard SKU AGW won't work, as also validated by Clackers in first comment on this post. The template validation would fail even if you don't provide firewallMode, ruleSetType or ruleSetVersion as Standard SKU type doesn't expect webApplicationFirewallConfiguration key itself, per my knowledge and trials. Could you please share a working template with your approach for Standard SKU AGW ? – deepak Mar 25 '19 at 10:46
  • deepak is correct here, the actual parameter webApplicationFirewallConfiguration can not exist at all, even if enabled is set to false it still tries to configure the AGW in WAF mode. We have made child templates for WAF or no WAF and brought PublicIP and noPublicIP into a variable so that there are still only 2 child templates. Cheers for the help – Clackers Mar 26 '19 at 03:29
  • Thanks Clackers. Happy to help :) – deepak Mar 26 '19 at 17:21