[Feature] Support custom WAF block response body on Application Gateway for Containers

[michvllni]

Is your feature request related to a problem? Please describe.

When the WAF policy attached to an Application Gateway for Containers (AGC) resource blocks a request, the client receives a generic text/plain response with the body {"message":"Forbidden"}. There is no way to customise this response — neither the HTTP status code nor the body.

The Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies ARM schema exposes policySettings.customBlockResponseBody and policySettings.customBlockResponseStatusCode for exactly this use case, and both work correctly on classic Application Gateway. When the same WAF policy is associated with an AGC resource via azurerm_application_load_balancer_security_policy, attempting to set either property results in:

ERROR CODE: ApplicationGatewayFirewallAGCCustomBlockResponseNotSupported

Custom block response is not supported on Application Gateway for Containers resources.
Unable to attach or update policy '/subscriptions/<sub>/resourceGroups/<rg>/providers/
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/<policy-name>'

Describe the solution you'd like

Allow customBlockResponseBody (base64-encoded HTML) and customBlockResponseStatusCode to be set on WAF policies associated with Application Gateway for Containers resources, consistent with the existing behaviour on classic Application Gateway.

This would let operators present a branded, user-friendly error page — with contact details and diagnostic information — instead of the raw plain-text forbidden response.

Describe alternatives you've considered

• azapi_update_resource / direct ARM PATCH — Fails with the same ApplicationGatewayFirewallAGCCustomBlockResponseNotSupported error code. The restriction is enforced server-side, not just in the Terraform provider schema.
• Custom error handling in the backend / Kubernetes layer — AGC does not forward WAF-blocked requests to the backend, so there is no backend-side hook to intercept them. An HTTPRoute-level error response would require the request to reach a pod, which does not happen when the WAF blocks it.
• Nginx / other ingress controller — Not applicable for deployments that explicitly use AGC for its Gateway API support and Azure-native WAF integration.

Additional context

• Error code ApplicationGatewayFirewallAGCCustomBlockResponseNotSupported suggests the restriction is intentional and tracked internally, but there is currently no public roadmap item or GitHub issue for this gap.
• Classic Application Gateway has supported custom block responses since API version 2020-06-01.
• The ARM template reference confirms customBlockResponseBody is part of the PolicySettings schema: https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationgatewaywebapplicationfirewallpolicies
• WAF feature listing for AGC: https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/overview

[microsoft-github-policy-service]

@JackStromberg, @therealmitchconnors would you be able to assist?

[microsoft-github-policy-service]

@therealmitchconnors, @JackStromberg would you be able to assist?

[microsoft-github-policy-service]

@JackStromberg, @therealmitchconnors would you be able to assist?