Azure Application Gateway /WAF v2 provisioning keeps failing

Question

Hi All,

We are trying to provision an App Gateway (WAF v2) in a dedciated VNET which is peered with the Transit/Hub Vnet, However the App Gateway provisioning keeps failing with below error

"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.

On the flipside if we are trying to provision the App Gateway(WAF V2) with in an Isolated VNET without peering with the Transit/Hub Virtual Network the App gateway /WAFv2 provisioning is suceeding.

Any inputs or advises will be helpful.

Thanks
Karthik

Answer 1

Typically this error occurs when an unsupported route is affecting the Application Gateway Subnet, typically a 0.0.0.0/0 route to a NVA/firewall, or a route being advertised via BGP. You can find more about Application Gateway and supported custom routes here.

This error should no longer occur once the default route is corrected.

Answer 2

Hi Travis,

We were trying to setup Azure App Gateway as WAF V2 and looks like subnet which has a APPGW//WAF v2 does not allow UDR to be associated which is weird and confusing.

On the other hand I'm able to associate a UDR with WAF V1, but it does not support Static Public IP and also does not provide benefits of Auto-scaling, Zone redundancy.

I'm really confused and disappointed the way this has been turning out during our implementation and we are kind of hitting a dead-end if we use Azure APPGW/WAFv1 or APPGW/WAFv2 with is own respective set of limitations for critical internet facing Web Applications.

Please advise...

Regards
karthik