This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 43%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOG%3C/text%3E%3C/svg%3E)
What a mess...
So I wanted to add an application gateway with WAF in front of my internal load balancer so it will be accessible from the internet via the app gw public IP and protected with WAF and accessible only from Israel via a geo location rule.
I created a test lab with an ILB (+3 VM backend pool), I created an application gateway and a WAF policy which I associated with the app gw. It is working just fine.
Now I added the geo location rule to block any traffic not coming from Israel.
It doesn't work, it blocks all traffic from any IP address, I checked from 3 different addresses in Israel and 2 different location abroad via VPN.
Now on one hand this page gives and example of how to create the above rule with match variable RequestUri and Operator GeoMatch. However, this page says to use match variable RemoteAddr with operator GeoMatch which is not possible.
Now I wanted to start over and disassociate the WAF policy from the gateway and apparently it is impossible. I have to create a new policy and associate it to the app gw, I cannot remove the policy completely.
How do I fix that geo location rule to make it work? So much time wasted on this already :(
So yes, I tried via PowerShell and apparently that did the trick.
Via the portal the rule looks like it has no match variable, but it works...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Ori Gil Glad it is working. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
@Ori Gil Thank you for reaching out to Microsoft Q&A.
I understand that the WAF Custom rule is not working for you. In the meanwhile, have you tried adding a rule using Powershell and see if that works?
Here is an example rule added via Powershell for Geo-match:
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable
-Operator GeoMatch -MatchValue "US"
-Transform Lowercase `
-NegationCondition $False
$rule = New-AzApplicationGatewayFirewallCustomRule -Name "allowUS"
-Priority 2 -RuleType MatchRule
-MatchCondition $condition `
-Action Allow
Please let me know, Thank you!