Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Application Gateway WAF v2 Configuration deployments
Important
On March 15, 2024, we announced the deprecation of WAF configuration on Application Gateway WAF V2 SKU and subsequently WAF configuration on Application Gateway WAF v2 retires on March 15, 2027. No further investments in WAF configuration on Application Gateway WAF v2 are made. You're strongly encouraged to upgrade from WAF Configuration to WAF Policy for easier management, better scale, and a richer feature set at no additional cost. For more information see, Retirement: Support for Application Gateway Web Application Firewall v2 Configuration is ending.
Azure Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. Web Application Firewall policies contain all the WAF settings and configurations. This includes exclusions, custom rules, managed rules, and so on. These policies are then associated with an application gateway (global), a listener (per-site), or a path-based rule (per-URI) for them to take effect.
Azure Application Gateway WAF v2 natively supports WAF policy. You should upgrade your legacy WAF configuration to WAF policies.
- Policies offer a richer set of advanced features. This includes newer managed rule sets, custom rules, per rule exclusions, bot protection, and the next generation of WAF engine. These advanced features are available to you at no extra cost.
- WAF policies provide higher scale and better performance.
- Unlike legacy WAF configuration, WAF policies can be defined once and shared across multiple gateways, listeners, and URL paths. This simplifies the management and deployment experience.
- The latest features and future enhancements are only available via WAF policies.
Retirement Timelines
- Deprecation announcement: March 25, 2024
- No creation of new WAF configuration deployments: March 15, 2025. The ability to create new WAF configuration deployments on the Application Gateway WAF V2 SKU has been fully discontinued on March 15, 2025.
- Retirement: March 15, 2027
Upgrade Application Gateway Standard v2 to Application Gateway WAF v2
- Locate the Application Gateway in the Azure portal. Select the Application Gateway and the select Configuration from the Settings menu on the left side.
- Under Tier, select WAF V2.
- Select Save to complete the upgrade from Application Gateway Standard to Application Gateway WAF.
Upgrade WAF v2 with legacy WAF configuration to WAF policy
You can upgrade existing Application Gateways with WAF v2 from WAF legacy configuration to WAF policy directly without any downtime. You can upgrade using either using the portal, Firewall Manager, or Azure PowerShell.
- Sign in to the Azure portal and select the Application Gateway WAF v2 that has a legacy WAF configuration.
- Select Web Application Firewall from the left menu, then select Upgrade from WAF configuration.
- Provide a name for the new WAF Policy and then select Upgrade. This creates a new WAF Policy based on the WAF configuration. You can also choose to associate a pre-existing WAF Policy instead of creating a new one.
- When the upgrade finishes, a new WAF Policy incorporating the previous WAF configuration and rules is created.
Upgrade Application Gateway v1 to WAF v2 with WAF policy
Important
We announced the deprecation of the Application Gateway V1 SKU (Standard and WAF) on April 28, 2023 and subsequently this SKU retires on April 28, 2026. For more information, see Migrate your Application Gateways from V1 SKU to V2 SKU by April 28, 2026.
Application Gateway v1 doesn't support WAF policy. Upgrading to WAF policy is a two step process:
- Upgrade Application Gateway v1 to v2 version.
- Upgrade legacy WAF configuration to WAF policy.
Upgrade from v1 to v2 Application Gateway.
For more information, see Upgrade Azure Application Gateway and Web Application Firewall from v1 to v2.
When you complete the upgrade of v1 to v2, the Application Gateway v2 has a legacy WAF configuration.
Upgrade to Application Gateway WAF v2 with WAF Policy.
- If in Step 1 you upgraded from Application Gateway Standard v1 to v2, see the previous section Upgrade Application Gateway Standard v2 to Application Gateway WAF v2.
- If in Step 1, you upgraded from Application Gateway WAF v1 to Application Gateway WAF v2 with legacy configuration, see the previous section Upgrade WAF v2 with legacy WAF configuration to WAF policy to migrate to Application Gateway WAF v2 SKU with WAF policy.