How do I update Front Door WAF policy programmatically?

Question

How do I update Front Door WAF policy programmatically?

vinayakshastri 25

Whenever I try to update an existing Front Door WAF programmatically using the ResourceManagementClient using begin_create_or_update_by_id

I get an error Code: BadRequest Message: Property 'WebApplicationFirewallPolicy.sku' is read-only and cannot be changed.

The identity that has got the Network Contributor role on the Front Door WAF policy.

Am I missing out on something or is this an Azure issue?

Deepanshu katara 16,790 Reputation points MVP Moderator

2025-04-11T06:26:42.4533333+00:00
Hello Vinayak , Welcome to MS Q&A

It seems you are encountering an issue when trying to update an existing Front Door WAF policy, specifically related to the sku property being read-only. This is a common scenario when working with Azure resources, as certain properties cannot be modified after the resource has been created.

Here are some steps to help you troubleshoot and resolve this issue:

Understand Read-Only Properties: The sku property of the Web Application Firewall policy is read-only, meaning it cannot be changed once the policy is created. If you need to change the SKU, you will have to create a new WAF policy with the desired SKU and then associate it with your Front Door instance.

Check Your Update Logic: When using the begin_create_or_update_by_id method, ensure that you are not including the sku property in your update request. Only include properties that are modifiable.

Review Permissions: Although you mentioned having the Network Contributor role, ensure that the identity you are using has the necessary permissions to perform updates on the WAF policy. Sometimes, additional roles or permissions may be required.

Use the Azure Portal or CLI for Verification: If possible, try to update the WAF policy using the Azure Portal or Azure CLI to see if the issue persists. This can help determine if the problem is with your code or the Azure service itself.

For further assistance, you can refer to the following resources:

Update WAF Policy: Update-AzFrontDoorWafPolicy provides information on how to update an existing WAF policy without modifying read-only properties.

Configure WAF: For a comprehensive guide on configuring WAF policies, including creating and managing them, check out the documentation on Configuring WAF.

If you continue to experience issues, consider reaching out to Azure support for more personalized assistance.

Please let me know if any ques

Kindly accept answer if it helps

Thanks
Deepanshu
vinayakshastri 25 Reputation points

2025-04-11T06:35:33.2+00:00

Hi Deepanshu,

Thanks for the answer. I have confirmed that there is no sku set in the request as far as I can tell from the logs here:

{'location': 'Global', 'properties': {'customRules': {'rules': [{'action': 'Block', 'enabledState': 'Enabled', 'matchConditions': [{'matchValue': ['<IP_1>', '<IP_2>', '<IP_3>'], 'matchVariable': 'RemoteAddr', 'negateCondition': False, 'operator': 'IPMatch', 'selector': None, 'transforms': []}], 'name': 'blocklist', 'priority': 100, 'rateLimitDurationInMinutes': 1, 'rateLimitThreshold': 100, 'ruleType': 'MatchRule'}]}}}

I am not sure if the ResourceManagementClient sets the sku later by default.

I do not need to update the WAF rule object itself but the AzFrontDoorWafCustomRuleObject which I am not sure if I am allowed to update the IPs inside the custom rule object which is later referenced in the WAF policy.

To sum it up, I need to https://learn.microsoft.com/en-gb/cli/azure/network/front-door/waf-policy/rule?view=azure-cli-latest#commands be able to use the update custom rule feature using Azure API or any REST API client inside a function app. This is where I am stuck in finding the resolution for the error after I used ResourceManagementClient object in my code to update
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-15T05:28:02.22+00:00

Hi @Vinayak Udaykumar SHASTRI

Following up to see if the above response was helpful. If you have any further queries, please let us know in the comments below.
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-16T01:14:58.64+00:00

Hi @Vinayak Udaykumar SHASTRI

Following up to see if the above response was helpful. If you have any further queries, please let us know in the comments below.
vinayakshastri 25 Reputation points

2025-04-16T01:17:32.5433333+00:00

Thanks for the response. I will keep you posted after trying out the front door client.

Accepted answer

0 additional answers

Your answer

vinayakshastri 25 Reputation points

2025-04-11T06:35:33.2+00:00

Hi Deepanshu,

Thanks for the answer. I have confirmed that there is no sku set in the request as far as I can tell from the logs here:

{'location': 'Global', 'properties': {'customRules': {'rules': [{'action': 'Block', 'enabledState': 'Enabled', 'matchConditions': [{'matchValue': ['<IP_1>', '<IP_2>', '<IP_3>'], 'matchVariable': 'RemoteAddr', 'negateCondition': False, 'operator': 'IPMatch', 'selector': None, 'transforms': []}], 'name': 'blocklist', 'priority': 100, 'rateLimitDurationInMinutes': 1, 'rateLimitThreshold': 100, 'ruleType': 'MatchRule'}]}}}

I am not sure if the ResourceManagementClient sets the sku later by default.

I do not need to update the WAF rule object itself but the AzFrontDoorWafCustomRuleObject which I am not sure if I am allowed to update the IPs inside the custom rule object which is later referenced in the WAF policy.

To sum it up, I need to https://learn.microsoft.com/en-gb/cli/azure/network/front-door/waf-policy/rule?view=azure-cli-latest#commands be able to use the update custom rule feature using Azure API or any REST API client inside a function app. This is where I am stuck in finding the resolution for the error after I used ResourceManagementClient object in my code to update
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-15T05:28:02.22+00:00

Hi @Vinayak Udaykumar SHASTRI

Following up to see if the above response was helpful. If you have any further queries, please let us know in the comments below.
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-04-16T01:14:58.64+00:00

Hi @Vinayak Udaykumar SHASTRI

Following up to see if the above response was helpful. If you have any further queries, please let us know in the comments below.
vinayakshastri 25 Reputation points

2025-04-16T01:17:32.5433333+00:00

Thanks for the response. I will keep you posted after trying out the front door client.

Answer 1

Hi @Vinayak Udaykumar SHASTRI-

Instead of the generic ResourceManagementClient, use the client specifically designed for Front Door. This is often found in packages like azure-mgmt-frontdoor or azure-mgmt-network.Look for a client like FrontDoorManagementClient or NetworkManagementClient

Within that client, navigate to operations related to WAF policies. Look for a method like begin_create_or_update.

Initiate the specific client and use the client's get method to fetch the current state of your WAF policy object.

Modify the custom_rules property within the retrieved object in your Python code. Update the match_value list for your 'blocklist' rule.

Use the clients begin_create_or_update method, passing the entire modified policy object back. The service-specific SDK is sometimes better at handling read-only properties correctly during this flow compared to the generic ResourceManagementClient.

For your reference: https://learn.microsoft.com/en-us/powershell/module/az.frontdoor/update-azfrontdoorwafpolicy?view=azps-13.4.0

Kindly let us know if the above helps or you need further assistance on this issue.

Share via

How do I update Front Door WAF policy programmatically?

0 additional answers

Your answer