What are Application Gateway tiers "Standard V2" and "WAF V2"?

[richardcox13]

While listed when creating an application gateway, they are not documented. Nor do they appear in the pricing information.

What are they? What do they cost?

And what is the difference between the SKU size of application gateway?

---

Document details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 29d1f0bd-9465-c7d8-1006-32e050a2419d
• Version Independent ID: 0d3bd3f8-6759-02ea-4a30-fc7b40f2c30e
• Content: Introduction to web application firewall (WAF) for Azure Application Gateway
• Content Source: articles/application-gateway/waf-overview.md
• Service: application-gateway
• GitHub Login: @amsriva
• Microsoft Alias: amsriva

[TravisCragg-MSFT]

@richardcox13 Thanks for the feedback! I am gathering what information I can, and will update you soon.

[jeffwmiles]

The tooltip found upon the Tier setting of a deployed Standard V2 or WAF V2 states "The Standard_v2 and WAF_v2 tiers support availability zones. Changing from the WAF_v2 tier to the Standard_v2 tier is not supported."

So at a minimum, this is the change in V2; hopefully from a WAF perspective, there are more features involving additional intelligence and vulnerability updates beyond the static OWASP top 10.

[shahiddev]

Can we get an update on what these V2 versions are, their pricing and if they are in preview?

[vhusker]

Agree with what everyone else has said. Went to deploy a PoC for a customer today and noticed this as well and couldn't find anything documented. Additionally there is no tooltip in the Tier section anymore and instead an Availability Zone drop box appears at the bottom of the setup page. Would really like to see some documentation about the v2 versions for both types of application gateways.

[Sulster]

I don't know if I was doing something massively wrong, but it seems WAF_v2 won't accept .cer files when setting HTTPS Settings.

[nhuntwalker]

Ditto on the previous comment. The specific error that I've gotten when trying to use a .cer file with HTTP Settings in a WAF v2 was:

Application Gateway /subscriptions/<subscription ID>/resourceGroups/<resource group name>
/providers/Microsoft.Network/applicationGateways/<gateway name>
does not support AuthenticationCertificates for the selected SKU tier WAF_v2.
Supported SKU tiers are Standard,WAF.

[AvinashReddyVaka]

@Sulster Any work around to this issue?? Even i am getting the same error message as "app-gateway does not support AuthenticationCertificates for the selected SKU tier WAF_v2. Supported SKU tiers are Standard,WAF".

[AvinashReddyVaka]

The main difference between older tiers and _V2's is _v2's support static frontend public ip address.

[Sulster]

@AvinashReddyVaka Nope, I've tested with a few servers and sites and in the end I have had to use the older tier of WAF when End to End SSL was required. I use WAF_v2 for when I can get away with only SSL offloading.

[bsnehanshu]

Also, Version 2 ( WAF of Standard) Application Gateway seems to be present only in new locations ( for eg: East US 2, West US 2, Singapore, etc) when it will be available for South East Australia

[vhorne]

@richardcox13 The v2 SKU is documented here: https://docs.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant

Using certs with the v2 SKU is documented here: https://docs.microsoft.com/azure/application-gateway/ssl-overview#end-to-end-ssl-with-the-v2-sku

[vhorne]

please-close

[TravisCragg-MSFT]

@richardcox13 Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.

[manikandan5555]

Hi All, any solution for this? app-gateway does not support AuthenticationCertificates for the selected SKU tier WAF_v2. Supported SKU tiers are Standard,WAF". If I execute using powershell its not refelct in the portal

[sai-manoj-kumar]

I can find answers to a few things mentioned here, in this link below: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant. See if it helps.

[ghost]

When setting up an Application Gateway Standard V2, I am unable to retrieve health information from my components tied to my new AG. Same settings for a standard work just fine. I have added an nsg to the subnet of the AGV2 with updated rules documented (ports 65200 - 65535 for the v2 SKU); we are still unable to retrieve backend status of App Service and AGV2 reports as UNKNOWN backend health. It appears V2 is not quite working as expected by MS out of the box, or yet again, there is a new component without proper documentation on how to get the darned thing to work..

I can understand needing to have to use new settings or components, but that needs to be outlined and better defined by MS. Any time we try to upgrade to Standard_V2 to make use of a Static IP, nothing works: VMSS, App Service or IP.. Assistance and good documentation regarding the difference in setup and config for DIFFERENT VERSIONS Application Gateway would be much appreciated.

Snarkier note, this is such a common occurrence within Azure platform for most components that it is ridiculous. Components are either rushed, not feature rich, extremely limited, just flat out broke, or terrible/lazy documentation (often time missing key information..). I want to like this platform, but is so not ready and always has some sort of issue limiting our growth and expansions we really need in a hosting provider. AND AS ALWAYS GITHUBS ARE CLOSED WITHOUT REALLY REACHING OUT FOR PROPER CONFIRMATION OF A FIX OR TRYING TO FIX OR TEST ON YOUR OWN AS A COMPANY.

[ricetristan]

@Sulster and @AvinashReddyVaka I hit the same issue trying to setup end-to-end SSL via the Azure portal (_does not support AuthenticationCertificates for the selected SKU tier WAFv2). However, I was able to perform this configuration via powershell (Set-AzApplicationGatewayBackendHttpSettings) without issue. Hopefully the portal UI will be updated to support this soon!

[jdcreek]

@ricetristan Can you share the parameters you used for a successful end to end encryption when calling the Set-AzApplicationGatewayBackendHttpSettings command?

Thank you.

[ricetristan]

@jdcreek Sorry for the ridiculously long delay here - I was able to setup end-to-end encryption using the following powershell commands:

**$gw = Get-AzApplicationGateway -Name "YourAppGateway" -ResourceGroupName "YourResourceGroup"

Set-AzApplicationGatewayBackendHttpSetting -ApplicationGateway $gw -Name "YourAppGatewayBackendHttpSettings" -Port 443 -Protocol "Https"

Set-AzApplicationGateway -ApplicationGateway $gw**

[rem-aj]

@wacsintegra did you ever figure this issue out or file a ticket with MS for resolution? I am getting the same issue but actually wondering if it's a UI bug because I'm actually able to access my services via the DNS name. Even if it's a UI bug it's still bad from a monitoring standpoint.

[ghost]

MS would not assist on the support side and was not able to find a solution with the Azure platform.

[rem-aj]

I have opened up a ticket with them and will share my feedback when I get it. This product has been GA since the end of last month so it better be properly supported by now :)

[rem-aj]

@wacsintegra if you are using a custom DNS within your azure network, apparently that causes issues with the health check in V2. In my case I was using 8.8.8.8, after removing it from my VNET and restarting the app gateway all seemed to work well.

[siddharth-dhawan]

When will AG v2 be available in UAE North region?

[rjuntechvision]

Hi, Need help on Rstudio Server integration with Azure Kubernetes cluster, for on-demand horizontal scaling.