search

Azure / application-gateway-kubernetes-ingress

This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.
https://azure.github.io/application-gateway-kubernetes-ingress
MIT License
678 stars 422 forks source link

ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy - When updating an AppGW in 'East US' #1417

Closed nilsatomada closed 2 years ago

nilsatomada commented 2 years ago

We're getting the following error messages when updating an Application Gateway which is associated with a WAF Policy since today. We haven't done any configuration changes. This is happening totally out of the blue. The other Application Gateways which are also controlled by other AGIC controllers are not affected by this. All Application Gateways are assigned to the same WAF Policy and all AGIC Controllers are having the same version/configuration.

network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy" Message="WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy /subscriptions/zzz/resourceGroups/Global/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/<wafpolicy> associated with it." Details=[]

Error processing event.network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy" Message="WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy /subscriptions/zzz/resourceGroups/Global/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/<wafpolicy> associated with it." Details=[]

It is also not possible to perform Manual Updates to the Application Gateway via the Azure Portal / Azure CLI - it gives the same error message 'ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy'

Is there a rollout currently going on / or a canary deployment of a new Application Gateway API?

As this is critical for us we've already opened a SEV-A Case about the issue - but I also wanted to write about it here.

akshaysngupta commented 2 years ago

@nilsatomada This validation has been there since last year where when a WAF policy is referenced in the gateway config, then modification of WAF configuration object in in the Gateway is not allowed.

I am closing this issue here as this can't be solved on AGIC.

nilsatomada commented 2 years ago

@akshaysngupta - interesting answer - can you explain me why it has worked for two years and starts to fail now? So what I'm hearing is that you want to me talk to the Application Gateway Team?

nilsatomada commented 2 years ago

just for the people who experience this - this is what fixed it for us [https://github.com/Azure/azure-cli/issues/15520]

$appGwconfig = Get-AzApplicationGateway -Name -ResourceGroupName $appGwconfig.WebApplicationFirewallConfiguration = $null Set-AzApplicationGateway -ApplicationGateway $appGwconfig