question

KarthikChowdaryNamburu-7894 avatar image
0 Votes"
KarthikChowdaryNamburu-7894 asked TravisCragg-MSFT commented

Azure Application Gateway /WAF v2 provisioning keeps failing

Hi All,

We are trying to provision an App Gateway (WAF v2) in a dedciated VNET which is peered with the Transit/Hub Vnet, However the App Gateway provisioning keeps failing with below error

"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.


On the flipside if we are trying to provision the App Gateway(WAF V2) with in an Isolated VNET without peering with the Transit/Hub Virtual Network the App gateway /WAFv2 provisioning is suceeding.

Any inputs or advises will be helpful.

Thanks
Karthik




azure-application-gatewayazure-web-application-firewall
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered

Typically this error occurs when an unsupported route is affecting the Application Gateway Subnet, typically a 0.0.0.0/0 route to a NVA/firewall, or a route being advertised via BGP. You can find more about Application Gateway and supported custom routes here.

This error should no longer occur once the default route is corrected.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarthikChowdaryNamburu-7894 avatar image
0 Votes"
KarthikChowdaryNamburu-7894 answered TravisCragg-MSFT commented

Hi Travis,

We were trying to setup Azure App Gateway as WAF V2 and looks like subnet which has a APPGW//WAF v2 does not allow UDR to be associated which is weird and confusing.

On the other hand I'm able to associate a UDR with WAF V1, but it does not support Static Public IP and also does not provide benefits of Auto-scaling, Zone redundancy.

I'm really confused and disappointed the way this has been turning out during our implementation and we are kind of hitting a dead-end if we use Azure APPGW/WAFv1 or APPGW/WAFv2 with is own respective set of limitations for critical internet facing Web Applications.

Please advise...

Regards
karthik


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

As is discussed in the doc I linked above, UDRs are supported but only in specific scenarios.

For your scenario, you will need a WAF V2 SKU for the Static Public IP, but you will also need a UDR on the Subnet. You can have a UDR on a V2 SKU, but it cannot be a 0/0 route. If it is not letting you deploy the App Gateway, try removing the routes from the subnets, deploy the App Gateway, and then re-adding the route.

Can you share the route that you need to add to the subnet?


0 Votes 0 ·