Azure Application Gateway WAF_V2 failing ARM deployment

0
votes

Getting error while deploying App gateway waf_v2 with more then one listener. For single listner it is working fine.

Error :

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n "error": {\r\n "code": "ApplicationGatewayHttpListenersUsingSameFrontendPortAndFrontendIpConfig",\r\n "message": "Two Http Listeners of Application Gateway journal-listner and attachmentmgmt-listner are using the same Frontend Port /subscriptions/77585cb5-cc1b-47a6-b60d-4c1ec4b078fc/resourceGroups/drgr001appgatewaydevtest-au/providers/Microsoft.Network/applicationGateways/bo-appgw-waf-v2-entdev1/frontendPorts/frontendPorts and FrontendIpConfiguration /subscriptions/77585cb5-cc1b-47a6-b60d-4c1ec4b078fc/resourceGroups/drgr001appgatewaydevtest-au/providers/Microsoft.Network/applicationGateways/bo-appgw-waf-v2-entdev1/frontendIPConfigurations/PrivateFrontendIp.",\r\n "details": []\r\n }\r\n}"}]}

template code :

  // Application Gateway
{
  "name": "[parameters('applicationGatewayName')]",
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2020-03-01",
  "location": "[parameters('location')]",
  "zones": "[parameters('availabilityZones')]",
  "properties": {
    "sku": {
      "name": "WAF_v2",
      "tier": "WAF_v2",
      "capacity": "[parameters('capacity')]"
    },

    "sslCertificates": [
      {
        "name": "[parameters('certName')]",
        "properties": {
          "data": "[parameters('certData')]",
          "password": "[parameters('certPassword')]"
        }
      }
    ],
    "gatewayIPConfigurations": [
      {
        "name": "gatewayIp",
        "properties": {
          "subnet": {
            "id": "[variables('subnetRef')]"
          }
        }
      }
    ],
    "trustedRootCertificates": "[parameters('trustedRootCertificates')]",
    "frontendIPConfigurations": [
      {
        "name": "PublicFrontendIp",
        "properties": {
          "privateIPAllocationMethod": "Dynamic",
          "publicIPAddress": {
            "id": "[parameters('publicIpResourceId')]"
          }
        }
      },
      {
        "name": "PrivateFrontendIp",
        "properties": {
          "privateIPAddress": "[parameters('privateIPAddress')]",
          "privateIPAllocationMethod": "Static",
          "subnet": {
            "id": "[variables('subnetRef')]"
          }
        }
      }
    ],
    "frontendPorts": [
      {
        "name": "frontendPorts",
        "properties": {
          "Port": 443
        }
      }
    ],
    "backendAddressPools": "[parameters('backendAddressPools')]",
    "probes": "[parameters('probes')]",
    "copy": [
      {
        "name": "backendHttpSettingsCollection",
        "count": "[length(parameters('backendHttpSettings'))]",
        "input": {
          "name": "[parameters('backendHttpSettings')[copyIndex('backendHttpSettingsCollection')].name]",
          "properties": {
            "port": 443,
            "pickHostNameFromBackendAddress": true,
            "protocol": "Https",
            "probeEnabled": "[parameters('backendHttpSettings')[copyIndex('backendHttpSettingsCollection')].probeEnabled]",
            "probe": {
              "id": "[resourceId('Microsoft.Network/applicationGateways/probes',  parameters('applicationGatewayName'), parameters('backendHttpSettings')[copyIndex('backendHttpSettingsCollection')].probe)]"
            }
          }
        }
      },
      {
        "name": "httpListeners",
        "count": "[length(parameters('httpListeners'))]",
        "input": {
          "name": "[parameters('httpListeners')[copyIndex('httpListeners')].name]",
          "properties": {
            "protocol": "Https",
            // Set hostname if it exists
            "hostName": "[if(contains(parameters('httpListeners')[copyIndex('httpListeners')], 'hostName'), parameters('httpListeners')[copyIndex('httpListeners')].hostName, '')]",
            "sslCertificate": {
              "id": "[concat(variables('applicationGatewayId'), '/sslCertificates/',parameters('httpListeners')[copyIndex('httpListeners')].sslCertificateName)]"
            },
            "frontendIPConfiguration": {
              "id": "[concat(variables('applicationGatewayId'), '/frontendIPConfigurations/PrivateFrontendIp')]"
            },
            "frontendPort": {
              "id": "[concat(variables('applicationGatewayId'), '/frontendPorts/frontendPorts')]"
            }
          }
        }
      },
      {
        "name": "requestRoutingRules",
        "count": "[length(parameters('requestRoutingRules'))]",
        "input": {
          "name": "[parameters('requestRoutingRules')[copyIndex('requestRoutingRules')].name]",
          "properties": {
            "ruleType": "Basic",
            "backendAddressPool": {
              "id": "[concat(variables('applicationGatewayId'), '/backendAddressPools/',parameters('requestRoutingRules')[copyIndex('requestRoutingRules')].backendpoolName)]"
            },
            "backendHttpSettings": {
              "id": "[concat(variables('applicationGatewayId'), '/backendHttpSettingsCollection/',parameters('requestRoutingRules')[copyIndex('requestRoutingRules')].backendHttpSetting)]"
            },
            "httpListener": {
              "id": "[concat(variables('applicationGatewayId'), '/httpListeners/',parameters('requestRoutingRules')[copyIndex('requestRoutingRules')].httpListener)]"
            }
          }
        }
      }
    ],
    "redirectConfigurations": "[parameters('redirectConfigurations')]",
    "enableHttp2": "[parameters('enableHttp2')]",
    "webApplicationFirewallConfiguration": "[variables('webApplicationFirewallConfiguration')]",
    "urlPathMaps": "[parameters('urlPathMaps')]",
    "authenticationCertificates": "[parameters('authenticationCertificates')]",
    "sslPolicy": {
      "policyType": "Predefined",
      "policyName": "AppGwSslPolicy20170401S"
    },
    "rewriteRuleSets": "[parameters('rewriteRuleSets')]"
  }
}

Parameter used :

"backendHttpSettings": {
  "value": [
    {
      "name": "https-attachment",
      "probeEnabled": true,
      "probe": "attachment-probe"
    },
    {
      "name": "https-journal",
      "probeEnabled": true,
      "probe": "journal-probe"
    }
  ]
},

"backendAddressPools": {
  "value": [
    {
      "name": "AttachmentServicePool",
      "properties": {
        "backendAddresses": [
          {
            "fqdn": "attachmentmgmt-svc-api-dev-euw.aseentdev.sys.dom"
          }
        ]
      }
    },
    {
    "name": "journalServicePool",
      "properties": {
        "backendAddresses": [
          {
            "fqdn": "journalmgmt-svc-api-dev-euw.aseentdev.sys.dom"
          }
        ]
      }
    }
  ]
},

"availabilityZones": {
  "value": [
    1,
    2
  ]
},

"probes": {
  "value": [

    {
      "name": "attachment-probe",
      "properties": {
        "protocol": "Https",
        "PickHostNameFromBackendHttpSettings": true,
        "path": "/index.htm",
        "interval": 5,
        "timeout": 10,
        "match": {
          "statusCodes": [
            200
          ],
          "body": "SUCCESS"
        }
      }
    },
    {
      "name": "journal-probe",
      "properties": {
        "protocol": "Https",
        "PickHostNameFromBackendHttpSettings": true,
        "path": "/index.htm",
        "interval": 5,
        "timeout": 10,
        "match": {
          "statusCodes": [
            200
          ],
          "body": "SUCCESS"
        }
      }
    }
  ]
},

"httpListeners": {
  "value": [
    {
      "name": "attachmentmgmt-listner",
      "sslCertificateName": "abc"
    },
    {
      "name": "journal-listner",
      "sslCertificateName": "abc"
    }
  ]
},

"urlPathMaps": {
  "value": []
},

"requestRoutingRules": {
  "value": [

    {
      "name": "attachment-routing-rule",
      "backendpoolName": "AttachmentServicePool",
      "backendHttpSetting": "https-attachment",
      "httpListener": "attachmentmgmt-listner"
    },
    {
      "name": "journal-routing-rule",
      "backendpoolName": "journalServicePool",
      "backendHttpSetting": "https-journal",
      "httpListener": "journal-listner"
    }
  ]
},
2
azureazure-devopsazure-application-gateway

2 Answers

1
votes

You can't create two basic listeners on the same port. Either use different ports or two different hostnames with Multi site listener.

enter image description here

0
votes

change in parameter file with passing host name for httplistner worked fine.

"httpListeners": {
"value": [
{
  "name": "listner1",
  "sslCertificateName": "ABC",
  "hostName": "wb.abc.dom"
},
{
  "name": "listner2",
  "sslCertificateName": "ABC",
  "hostName": "wb1.abc.dom"
}  
]
}