Azure Application Gateway WAF Policy Custom Rule Update

Question

I have an Application Gateway WAF policy.

I want to update the existing custom rule by adding another IP address.

How can I do this dynamically from Powershell or Azure CLI?

Answer 1

I tried to reproduce the same in my environment I got the results successfully like below:

I have created Azure Application Gateway WAF Policy and I created Custom Rule with Ip address like below:

To update the existing custom rule by adding another IP address make use of below command:

$variable1 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RemoteAddr

$condition1 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable1 `
   -Operator IPMatch `
   -MatchValue "192.168.5.0/24" `
   -NegationCondition $True

$rule1 = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule1 `
   -Priority 10 `
   -RuleType MatchRule `
   -MatchCondition $condition1 `
   -Action Block
   
$policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name <PolicyName> -ResourceGroup <RGNAME> -Location eastus -CustomRule $rule1 

Result:

When I check in portal the existing custom rule of IP address are updated successfully like below:

update

As per command I want to add another IP in the same rule make use of below script like below:

$variable1 = New-AzApplicationGatewayFirewallMatchVariable `
       -VariableName RemoteAddr
    
$condition1 = New-AzApplicationGatewayFirewallCondition `
       -MatchVariable $variable1 `
       -Operator IPMatch `
       -MatchValue "157.51.145.196","192.168.5.0/24" `
       -NegationCondition $True   
    
$rule1 = New-AzApplicationGatewayFirewallCustomRule `
       -Name myrule1 `
       -Priority 10 `
       -RuleType MatchRule `
       -MatchCondition $condition1, $condition2 `
       -Action Block
     
$policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name <PolicyName> -ResourceGroup <>RGNAME -Location eastus -CustomRule $rule1 

When I use this command another IP added successfully like below:

Answer 2

I used the below, depending on your scenario you may need to use the equivalent list function first to get the existing IP addresses and Index order - as this overwrites the existing rule. Details https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/custom-rule?view=azure-cli-latest

az network application-gateway waf-policy custom-rule match-condition add --resource-group MyResGroup --policy-name MyWafPolicyName --name MyCustomRuleName --index 1 --match-variables RemoteAddr --operator IPMatch --values "[192.168.1.1,192.168.2.2]"