Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
813 questions
How do I update Front Door WAF policy programmatically?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 99%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVU%3C/text%3E%3C/svg%3E)
Vinayak Udaykumar SHASTRI
5
Reputation points
Whenever I try to update an existing Front Door WAF programmatically using the ResourceManagementClient using begin_create_or_update_by_id
I get an error Code: BadRequest Message: Property 'WebApplicationFirewallPolicy.sku' is read-only and cannot be changed.
The identity that has got the Network Contributor role on the Front Door WAF policy.
Am I missing out on something or is this an Azure issue?
{count} votes
-
Deepanshukatara-6769 15,195 Reputation points2025-04-11T06:26:42.4533333+00:00 Hello Vinayak , Welcome to MS Q&A
It seems you are encountering an issue when trying to update an existing Front Door WAF policy, specifically related to the sku property being read-only. This is a common scenario when working with Azure resources, as certain properties cannot be modified after the resource has been created.
Here are some steps to help you troubleshoot and resolve this issue:
Understand Read-Only Properties: The sku property of the Web Application Firewall policy is read-only, meaning it cannot be changed once the policy is created. If you need to change the SKU, you will have to create a new WAF policy with the desired SKU and then associate it with your Front Door instance.
Check Your Update Logic: When using the begin_create_or_update_by_id method, ensure that you are not including the sku property in your update request. Only include properties that are modifiable.
Review Permissions: Although you mentioned having the Network Contributor role, ensure that the identity you are using has the necessary permissions to perform updates on the WAF policy. Sometimes, additional roles or permissions may be required.
- Use the Azure Portal or CLI for Verification: If possible, try to update the WAF policy using the Azure Portal or Azure CLI to see if the issue persists. This can help determine if the problem is with your code or the Azure service itself.
For further assistance, you can refer to the following resources:
- Update WAF Policy: Update-AzFrontDoorWafPolicy provides information on how to update an existing WAF policy without modifying read-only properties.
- Configure WAF: For a comprehensive guide on configuring WAF policies, including creating and managing them, check out the documentation on Configuring WAF.
If you continue to experience issues, consider reaching out to Azure support for more personalized assistance.
Please let me know if any ques
Kindly accept answer if it helps
Thanks
Deepanshu -
Vinayak Udaykumar SHASTRI 5 Reputation points
2025-04-11T06:35:33.2+00:00 Hi Deepanshu,
Thanks for the answer. I have confirmed that there is no sku set in the request as far as I can tell from the logs here:
{'location': 'Global', 'properties': {'customRules': {'rules': [{'action': 'Block', 'enabledState': 'Enabled', 'matchConditions': [{'matchValue': ['<IP_1>', '<IP_2>', '<IP_3>'], 'matchVariable': 'RemoteAddr', 'negateCondition': False, 'operator': 'IPMatch', 'selector': None, 'transforms': []}], 'name': 'blocklist', 'priority': 100, 'rateLimitDurationInMinutes': 1, 'rateLimitThreshold': 100, 'ruleType': 'MatchRule'}]}}}
I am not sure if the ResourceManagementClient sets the sku later by default.
I do not need to update the WAF rule object itself but the AzFrontDoorWafCustomRuleObject which I am not sure if I am allowed to update the IPs inside the custom rule object which is later referenced in the WAF policy.
To sum it up, I need to https://learn.microsoft.com/en-gb/cli/azure/network/front-door/waf-policy/rule?view=azure-cli-latest#commands be able to use the update custom rule feature using Azure API or any REST API client inside a function app. This is where I am stuck in finding the resolution for the error after I used ResourceManagementClient object in my code to update
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde 5,005 Reputation points Microsoft External Staff2025-04-14T10:37:43.67+00:00 Hi @Vinayak Udaykumar SHASTRI-
Instead of the generic ResourceManagementClient, use the client specifically designed for Front Door. This is often found in packages like azure-mgmt-frontdoor or azure-mgmt-network.Look for a client like FrontDoorManagementClient or NetworkManagementClient
Within that client, navigate to operations related to WAF policies. Look for a method like begin_create_or_update.
Initiate the specific client and use the client's get method to fetch the current state of your WAF policy object.
Modify the custom_rules property within the retrieved object in your Python code. Update the match_value list for your 'blocklist' rule.
Use the clients begin_create_or_update method, passing the entire modified policy object back. The service-specific SDK is sometimes better at handling read-only properties correctly during this flow compared to the generic ResourceManagementClient.
For your reference: https://learn.microsoft.com/en-us/powershell/module/az.frontdoor/update-azfrontdoorwafpolicy?view=azps-13.4.0
Kindly let us know if the above helps or you need further assistance on this issue.
-
Sai Prasanna Sinde 5,005 Reputation points Microsoft External Staff
2025-04-15T05:28:02.22+00:00 Following up to see if the above response was helpful. If you have any further queries, please let us know in the comments below.
-
Sai Prasanna Sinde 5,005 Reputation points Microsoft External Staff
2025-04-16T01:14:58.64+00:00 Following up to see if the above response was helpful. If you have any further queries, please let us know in the comments below.
-
Vinayak Udaykumar SHASTRI 5 Reputation points
2025-04-16T01:17:32.5433333+00:00 Thanks for the response. I will keep you posted after trying out the front door client.
Sign in to comment
Sign in to answer