Moving Application Gateway along with WAF to another subscription

Question

Moving Application Gateway along with WAF to another subscription

Ahmed Abdelhadi 40

Migrate Application Gateway and WAF deployments to another subscription on same tenant, if application gateway cannot be moved then how are we supposed to recreate an application gateway that contains 50+ http listener, 100+ Rules, and 20+ backend pools, 20 SSL Certificates??

Tushar Kumar 3,371 Reputation points MVP

2023-09-19T08:57:34.4366667+00:00

Hi Ahmed Abdelhadi,

I can understand that you are trying to move Azure application Gateway which is unfortunetly not a supported resource for Move between subscriptions.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources

You can redeploy the same by matching the same configuration using ARM templates by using the following option to export

Please note once you export the template you need to make tweeks in the template for making it ready for new subscription.

Please Click "Accept as Answer" if this helps .
AirGordon 7,150 Reputation points

2023-09-19T11:48:19+00:00

Perhaps you can provide more context on why the move is needed.
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-04T17:01:34.8766667+00:00

@Ahmed Abdelhadi , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Accepted answer

1 additional answer

Your answer

Tushar Kumar 3,371 Reputation points MVP

2023-09-19T08:57:34.4366667+00:00

Hi Ahmed Abdelhadi,

I can understand that you are trying to move Azure application Gateway which is unfortunetly not a supported resource for Move between subscriptions.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources

You can redeploy the same by matching the same configuration using ARM templates by using the following option to export

Please note once you export the template you need to make tweeks in the template for making it ready for new subscription.

Please Click "Accept as Answer" if this helps .
AirGordon 7,150 Reputation points

2023-09-19T11:48:19+00:00

Perhaps you can provide more context on why the move is needed.
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-10-04T17:01:34.8766667+00:00

@Ahmed Abdelhadi , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.

Answer 1

GitaraniSharma-MSFT 50,021 Microsoft Employee Moderator

Hello @Ahmed Abdelhadi ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know how to move an Application Gateway along with WAF to another subscription without downtime.

As mentioned by @Tushar Kumar above, Application gateways and WAF policies are not supported for move across resource groups/subscriptions/regions.

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftnetwork

So, the only option is to recreate the Application gateway in the new subscription.

However, to minimize downtime, you could follow a few steps as below:

You can export your existing App gateway configuration via ARM template, Bicep, PowerShell, CLI, etc.
You can either export template from your existing resource group or the Application gateway.

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-portal

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-cli

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-powershell

Deploy the dependent resources such Key vaults and upload certificates as mentioned by @AirGordon .
Modify the exported template per your requirement and then deploy the Application gateway in the new subscription using that template.
Do a DNS swap to the newly provisioned application gateway (meaning point your DNS name or custom domain to the newly created application gateway).
Once the newly created Application gateway is fully provisioned and working, you can delete your old gateway.

This should result in almost no downtime.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Ahmed Abdelhadi 40 Reputation points

2023-09-21T06:48:34.11+00:00

Hello GitaraniSharma-MSFT

Thank you for your support and response to my inquiry.

One more question please, how can I manage a public IP address that assigned to Azure Application Gateway, if I export existing App gateway configuration via ARM template into the new subscription, so the public IP configuration will be move/imported to the new subscription, or I have to create new one and assigned it to Application Gateway, if so how to do this as well?

Thank you for your help. Your support is highly appreciated.
Ahmed Abdelhadi 40 Reputation points

2023-09-22T07:56:27.63+00:00

Hello GitaraniSharma-MSFT

Thank you for your support and response to my inquiry.

One more question please, how can I manage a public IP address that assigned to Azure Application Gateway?
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-09-25T07:36:14.2866667+00:00

Hello @Ahmed Abdelhadi ,

Apologies for the delay in response.

A public IP address associated to an Application gateway cannot be disassociated and hence, it cannot be moved.

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/networking-move-limitations#dependent-resources

The export template option will capture the reference for Public IP configuration, which will create a new Public IP address when deploying the Application gateway in the new subscription.

NOTE: As mentioned before, you need to modify the exported template per your requirement and then deploy the Application gateway in the new subscription using that template.

When I say modify the template, I mean making changes to the names or properties of the resources before deployment. For Example: The exported template will be an exact copy of your existing resource with same names and properties. You might want to change the naming convention or location of the resources or types/SKUs of resources. So, you need to pay attention to the exported template and make necessary changes before deploying it.

Refer: Tutorial - Export template from the Azure portal - Azure Resource Manager | Microsoft Learn

Regards,

Gita

Answer 2

How are we supposed to recreate an application gateway that contains 50+ http listener, 100+ Rules, and 20+ backend pools, 20 SSL Certificates??

In an ideal world, you'd have used Infrastructure as code to deploy the Application Gateway and to manage the configuration. In this way, you'd run the deployment again to reproduce the same configuration. If you didn't follow this approach, you can capture the current configuration using the Export Template option in the Portal which provides a great starting place for you to polish and refine the template in order to deploy again.

There will likely be some prerequisite resources that you will need to create first, a Virtual Network and subnet as well as a Key Vault for the certificates. Deployment of these resources should occur first.

Share via

Moving Application Gateway along with WAF to another subscription

1 additional answer

Your answer