How to apply WAF to Application Gateway for Containers frontend

Question

How to apply WAF to Application Gateway for Containers frontend

Andreas Nord 20

I've created a security policy, but don't see any way to actually attach it to one of the frontends.

There is also a red warning icon, but it does not give any additional information.

I am using the Kubernetes managed way of deploying.

Screenshot 2025-07-01 at 11.14.46

Alex Burlachenko 13,330 Reputation points Volunteer Moderator

2025-07-01T12:07:25.5433333+00:00
Hi Andreas,

thanks for posting this ))

first, make sure u've got the latest azure cli or powershell modules. sometimes the ui lags behind like my ex's text replies ) https://docs.microsoft.com/en-us/cli/azure/install-azure-cli try this az cli command

az network application-gateway waf-policy create --name YourPolicy --resource-group YourRG --type OWASP

then attach it with

az network application-gateway update --name YourAG --resource-group YourRG --set webApplicationFirewallConfiguration=YourPolicy

check this the kubernetes managed way needs proper annotations in ur ingress yaml. add something like

annotations: appgw.ingress.kubernetes.io/waf-policy: "/subscriptions/your-sub/resourceGroups/your-rg/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/your-policy"

the full kubernetes integration guide https://docs.microsoft.com/en-us/azure/application-gateway/ingress-controller-annotations

this might help in other tools too always verify ur service principal has network contributor role. that red icon sometimes means permission issues )) the role assignment steps https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

worth looking into the activity logs in azure portal if it still acts up. the logs often spill the tea before the ui does :))) https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log

aha, and dont forget containers gateway is still kinda new, so some features might play hide and seek. microsoft's been killing it with updates tho )) latest release notes https://docs.microsoft.com/en-us/azure/application-gateway/overview#whats-new

if u hit more snags, the azure monitor diagnostic settings can be ur best friend here. setup logs for application gateway and waf to see what's really going on https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics

ps: that red icon? yeah it loves being mysterious. try refreshing after 10 mins or check the resource health blade azure's way of saying 'just wait bro' ))) resource health https://docs.microsoft.com/en-us/azure/service-health/resource-health-overview

let me know if the commands work

rgds,

Alex
Andreas Nord 20 Reputation points

2025-07-01T12:49:37.4366667+00:00
Thanks for the quick reply.
I'm suspecting that this feature flag should be toggled for the helm deployment (default was false):

helm upgrade alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller --set securityPolicyFeatureFlag=true

It seems to indicate that the feature exists, but does not solve the problem.
Although this page seems to indicate that WAF is not supported yet:
https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/migrate-from-agic-to-agc

I can try your commands but will be good to verify that it's actually possible first.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-03T07:25:53.1933333+00:00

Hello Andreas Nord

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Accepted answer

0 additional answers

Your answer

Andreas Nord 20 Reputation points

2025-07-01T12:49:37.4366667+00:00

Thanks for the quick reply.
I'm suspecting that this feature flag should be toggled for the helm deployment (default was false):

helm upgrade alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller --set securityPolicyFeatureFlag=true

It seems to indicate that the feature exists, but does not solve the problem.
Although this page seems to indicate that WAF is not supported yet:
https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/migrate-from-agic-to-agc

I can try your commands but will be good to verify that it's actually possible first.
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-03T07:25:53.1933333+00:00

Hello Andreas Nord

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Answer 1

Praveen Bandaru 6,850 Microsoft External Staff Moderator

Hello Andreas Nord

Thank you for your response.

Although this page seems to indicate that WAF is not supported yet:

Unfortunately, this feature isn't supported according to the document. Please refer to the screenshot below for more details:

User's image

Check the reference document: https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/migrate-from-agic-to-agc#waf

If you have any suggestions, please share your valuable feedback with our product group team using the link below: https://feedback.azure.com/d365community

And check the below feedback from Microsoft: https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

User's image

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-03T07:26:13.2033333+00:00

Hello Andreas Nord

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Andreas Nord 20 Reputation points

2025-07-03T07:27:55.1233333+00:00

It's not supported via kubernetes, or it's not supported at all? Because it shows up in the portal so I would assume the feature exists
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator

2025-07-03T07:36:26.12+00:00

Hello Andreas Nord
Thank you for your response. Currently, this feature is now in private preview for application gateway for container, so it is not supported at this time. It will be supported in the future. Please refer to the link below for more information:

https://feedback.azure.com/d365community/idea/f9bab01c-de86-ee11-a81c-002248544521

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

How to apply WAF to Application Gateway for Containers frontend

0 additional answers

Your answer