Clarification Needed on Azure WAF Ruleset Upgrade Notification for Non-Configured WAF Policy

Question

I have recently received a notification from Azure urging me to upgrade to the latest Azure Web Application Firewall (WAF) ruleset version, specifically CRS 3.2 or DRS 2.1, by January 26, 2026. This is due to the deprecation of the older CRS 3.0 ruleset version. However, I am uncertain why I received this notification as I believe I do not have a WAF policy or ruleset currently enabled on my AKS Application Gateway.

Current Setup:

• I am using Azure Kubernetes Service (AKS) with an Application Gateway configured as my ingress controller.
• My Application Gateway is on the WAF v2 SKU.
• To the best of my knowledge and recent checks, no WAF policy or ruleset is enabled.

Notification Content:

• The notification warns that after January 26, 2026, it will no longer be possible to create new policies with CRS 3.0 or below, and such policies will not be supported.

My Questions:

1. Why did I receive this notification if I do not have a WAF policy ruleset enabled?
2. How can I verify whether a WAF policy or ruleset is indeed enabled on my Application Gateway through the Azure portal or using Azure CLI/PowerShell?
3. If it turns out that I do need to upgrade, what steps should I take to upgrade the WAF ruleset to the latest version without disrupting my current setup?

I am seeking clarification and guidance on how to proceed to ensure my setup remains compliant and secure. Any assistance or direction you can provide would be greatly appreciated.I have recently received a notification from Azure urging me to upgrade to the latest Azure Web Application Firewall (WAF) ruleset version, specifically CRS 3.2 or DRS 2.1, by January 26, 2026. This is due to the deprecation of the older CRS 3.0 ruleset version. However, I am uncertain why I received this notification as I believe I do not have a WAF policy or ruleset currently enabled on my AKS Application Gateway.

Current Setup:

• I am using Azure Kubernetes Service (AKS) with an Application Gateway configured as my ingress controller.
• My Application Gateway is on the WAF v2 SKU.
• To the best of my knowledge and recent checks, no WAF policy or ruleset is enabled.

Notification Content:

• The notification warns that after January 26, 2026, it will no longer be possible to create new policies with CRS 3.0 or below, and such policies will not be supported.

My Questions:

1. Why did I receive this notification if I do not have a WAF policy ruleset enabled?
2. How can I verify whether a WAF policy or ruleset is indeed enabled on my Application Gateway through the Azure portal or using Azure CLI/PowerShell?
3. If it turns out that I do need to upgrade, what steps should I take to upgrade the WAF ruleset to the latest version without disrupting my current setup?

I am seeking clarification and guidance on how to proceed to ensure my setup remains compliant and secure. Any assistance or direction you can provide would be greatly appreciated.

Answer 1

Hi @Anji Muduthanapally,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I think you're using WAF configuration on Application Gateway.

Why did I receive this notification if I do not have a WAF policy ruleset enabled?

It notifies users who were using the web application firewall. Please upgrade to CRS 3.2 or DRS 2.1, by January 26, 2026.

How can I verify whether a WAF policy or ruleset is indeed enabled on my Application Gateway through the Azure portal or using Azure CLI/PowerShell?

If it turns out that I do need to upgrade, what steps should I take to upgrade the WAF ruleset to the latest version without disrupting my current setup?

In the Rule set select the OWASP 3.2 version.

---

Kindly let us know if the above helps or you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.