While trying to update an application gateway (to add a backend pool), using the following command :
az network application-gateway address-pool create --gateway-name "***" --resource-group "***" --servers "***" --name "***"
I get the following error
(ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy) WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy /subscriptions/***/resourceGroups/***/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/*** associated with it.
Code: ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy
Message: WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy /subscriptions/***/resourceGroups/***/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/*** associated with it.
I did a similar change a few days ago and I didn't get any error.
I tried doing the change in the Portal and I get the same error.
I tried disabling the WAF rule but I get the same error.
Any clue? Thanks for your help!
(ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy)WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy/subscriptions//resourceGroups//providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/associated with it. Code:ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy Message: WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy
/subscriptions//resourceGroups//providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/ associated with it.
The error occurs could be because some parameters related to the WAF policy are missing from the Application Gateway configuration.
1. `$SubscriptionId = 'xxxxxx-xxxx-xxx'`
2. `$ResourceGroupName = 'RGname'`
3. `$GatewayName = 'appgwname'`
4. `Connect-AzAccount -Subscription $SubscriptionId`
5. `$appGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName`
6. `$appGw.FirewallPolicy = $null`
7. `$appGw.Sku.Name = 'Standard_v2'`
8. `$appGw.Sku.Tier = 'Standard_v2'`
9. `$appGw.WebApplicationFirewallConfiguration = $null`
10. `$appGW.ForceFirewallPolicyAssociation = $true`
11. `Set-AzApplicationGateway -ApplicationGateway $AppGw`
Once you finish updating the Application Gateway using the above script. you can also be able update the backend pools of application gateway by using below commands:
az network application-gateway address-pool create --resource-group <resoruce group > --gateway-name <app-gate-name> --name MyAddressPool1 --servers <address>
I tried in my environment it is successfully updated:
Following that, you can use the Azure portal to switch the Application Gateway SKU back to WAF V2 and attach the WAF policy to it.
Reference:
Cannot renew Certificate in Azure Application Gateway with WAF - Microsoft Q&A by GitaraniSharmaMSFT-4262
Related
I have a Cloud Service (Extended Support) on Azure and want to retrieve the associated public IP address from an Azure script. However when I run
Get-AzCloudServicePublicIPAddress -CloudServiceName $serviceName -ResourceGroupName $resourceGroup -verbose
Nothing seems to happen at all. Moreover, when I run a swap command, i.e.
Switch-AzCloudService -CloudServiceName $serviceName -ResourceGroupName $resourceGroup -Confirm:$false
it is successful and I can see the public IP address for both the services in the output logging! Obviously I don't want to have to call this command to retrieve the IP address.
How do I get the IP information from powershell using the Az powershell module module?
Need to check:
Make sure that you are executing it in correct Azure tenant or subscription. Otherwise, it will not retrieve the exact output. Set azure subscription to the current one.
select-Azuresubscription -subscriptionId <subscriptionID>
Check for the existence of public IP addresses if there are any configured public Ip addresses under a given cloud service.
Cloud Service commands support cloud service (extended support) only. check once whether you are trying to retrieve the same.
Simply you can use below Az CLI command to retrieve the IP configuration:
az network public-ip show -g <ResourceGroup> -n <publicIP>
Or
az network public-ip list
I am trying to retrieve app service certificate details , but it only retrieves for the entire ResourceGroup using powershell as follows:
az webapp config ssl list --resource-group "TestResourceGroup" | ConvertFrom-Json
There are a number of app services in this resource group. I want the certificate details for a certain app service not all .
How can i get the details for a particular app service ?
You can try using az webapp config ssl show --resource-group <RG_val> --certificate-name <naked_FQDN> (not sure what you need to return). Or alternatively use a JMESPath on the az webapp config list to control what you are returning.
Thanks #mklement0, I have reproduced in my environment and got expected results as below and I followed Microsoft-Document:
$r=az webapp config ssl list --resource-group XX
$r.WebAppName.Certificate
$r | ConvertFrom-Json
XX- Name of the resource group
I'm trying to use the Azure CLI to update the Incoming Client Certificate option under Web App > Configuration > General Settings > Incoming Client Certificates to use the value Allow.
Currently I can only set the value to true/false which correlates to Require/Ignore.
az webapp update --set clientCertEnabled=true--name MyWebApp --resource-group MyRsGrp
I haven't been able to find anything in the reference documentation.
https://learn.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest#az_webapp_update
Does anyone have a nifty way to configure this setting? Thanks!
To set it to Allow, there are two properties need to be set, clientCertEnabled and clientCertMode, clientCertMode is not available in command az webapp update, you need to use az resource update.
Just use the command below, it works for me.
az resource update --name <webapp-name> --resource-group <group-name> --namespace Microsoft.Web --resource-type sites --set properties.clientCertEnabled=true properties.clientCertMode=Optional
Looking into using AKS but having some issues/queries when creating.
I can create a cluster using the following CLI command:
az aks create --resource-group myRG --name aks --node-count 2 --generate-ssh-keys --enable-managed-identity --attach-acr myACR
And this creates it fine without any issues. I want to add Application Gateway which is causing me issues and have narrowed it down to the following call:
az aks create --resource-group myRG --name aks --node-count 2 --generate-ssh-keys --enable-managed-identity --attach-acr myACR --network-plugin azure
By setting the --network-plugin to Azure it fails with the following error:
ValidationError: Directory permission is needed for the current user to register the application. For how to configure, please refer 'https://learn.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: Insufficient privileges to complete the operation.
Setting the --debug flag on the call displays the following:
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "POST /1f141cfd-a6c5-4e9a-bf84-7116c141e5f4/applications?api-version=1.6 HTTP/1.1" 403 219
msrest.http_logger : Response status: 403
...
msrest.http_logger : {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"65e9cb16-4df1-4824-bd33-3ee6f691ed07","date":"2020-10-19T10:58:49"}}
So I can see that it's because I do not have permissions to create an app in Azure AD.
I do not have access to Azure AD as it's a corporate one, but wondering the following:
What are the lowest permissions required for me to be able to create AKS in AD?
Can the Azure AD owner create me an application for me to then use? How would I reference this when creating the cluster?
Is Managed Identities preferred over Service Principals? Can managed identities be used with existing AD objects?
I have a feeling some of my questions show my lack of understanding/knowledge of how permissions work with Azure AKS/AD, but am having trouble understanding as there is not a lot readable errors (I can't even access Azure AD pane within the portal).
I designed a PowerShell script that it's able to properly configure various settings of a Function App (including CORS e.g.).
The Function App works and can be called from an Api Manegement service.
When the need arose to configure Azure AD, I've used Az/CLI to replicate exactly what I do using Portal UI (and what I set manually perfectly works).
But it stopped working, APIM returns HTTP status code 401 (unauthorized).
The part of the script that configures Azure AD is the following:
# $add is a simple class that contains value to be configured
# actually AllowedTokens is always empty
if ($aad) {
'Setting Function App AAD configuration.' | Write-Verbose
$allowedTokens = if ($aad.AllowedTokens) { "--aad-allowed-token-audiences $($aad.AllowedTokens -join ' ')" } else { '' }
"az webapp auth update --name $name --resource-group $group --enabled $($aad.Enabled.ToString().ToLower())" +
" --action LoginWithAzureActiveDirectory --aad-client-id $($aad.ClientId) --aad-client-secret $($aad.ClientSecret)" +
" --token-store true" +
" --aad-token-issuer-url $($aad.TokenIssuerUrl) $allowedTokens" |
Invoke-Expression
'Function App AAD configuration set.' | Write-Verbose
}
The first strange thing is that if I disable authentication/authorization,
I save settings, enable and save again everything start working.
So I've started again and launched the script. I've examined the resource.
az auth show says that unauthenticatedClientAction is set to RedirectToLoginpage.
az resource show says that unauthenticatedClientAction is set to null.
When I do the trick described above:
az auth show says that unauthenticatedClientAction is set to AllowAnonymous.
az resource show says that unauthenticatedClientAction is set to null.
So I think this is the important difference to make the Function App properly works (or better this is the way to properly configure it).
Since I've used this method with success for other settings, I've tried to set this property with Az/CLI:
az resource update --name web --resource-group $group --namespace Microsoft.Web --resource-type config `
--parent "sites/$funcName" --set properties.siteAuthSettings.unauthenticatedClientAction=AllowAnonymous
The JSON returned as response shows nothing changed. Inspecting the resource confirms it.
One more thing, when I export the resource group I can't see any unauthenticatedClientAction in any Function App template.
What's the correct way to set unauthenticatedClientAction to AllowAnonymous?
Any help will be really appreciated!
First, answer your question, to set unauthenticatedClientAction to AllowAnonymous, just use
az webapp auth update --name <functionapp-name> --resource-group <group-name> --action AllowAnonymous
Actually, when you do the trick in the portal, it will change the
to
This is the unauthenticatedClientAction setting.
Then the question is coming, I am not sure if you want to secure your azure function with Azure AD or not. Because when you set unauthenticatedClientAction to AllowAnonymous, your function will allow the anonymous request, the Azure AD auth will not take effect.
When the need arose to configure Azure AD, I've used Az/CLI to replicate exactly what I do using Portal UI (and what I set manually perfectly works). But it stopped working, APIM returns HTTP status code 401 (unauthorized).
Yes, the 401 error represents the Azure AD auth toke effect, if you enable the Azure AD auth(set Log in with Azure Active Directory), you need to get the access token for your client/user, then use the token to access the function. (Not sure how to implement it in APIM, I am not an expert in APIM:-))
For more details, you could check this blog and this post.