Hi, today I want to talk to you about Azure Application Gateway. This Azure resource is a web traffic load balancer that redirects traffic (HTTP or HTTPS) to specific resources in a back-end group. These resources can be NICs, virtual machine scale sets, public and internal IP addresses, fully qualified domain names (FQDN), and Azure App Service.
In this post, I will show you how to deploy an Azure Application Gateway using Azure PowerShell. Once explained the characteristics of the Azure Application Gateway we can begin this tutorial.
Prerequisites
- You created a Resource Group for these resources and the new ones deployed in this tutorial will join that group. If you want to know how to create a Resource Group, check out this link.
- You already created the necessary Virtual Network and subnet. If you want to know how to create a Virtual Network, check out this link.
Azure PowerShell Workaround
If you want to know how to install the PowerShell Azure module on your machine, check out this link.
The simplest way to get started is to sign in interactively at the command line.
1 2 3 | Connect-AzAccount |
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
1 2 3 4 | Get-AzSubscription Select-AzSubscription -Subscription "My Subscription" |
Once you set your default subscription, you’re ready to start.
Set the variables
Here, we define the characteristics of our environment and the resource’s properties.
1 2 3 4 5 6 7 8 9 10 | #Define the parameters for the Azure resources. $location = "northeurope" $resourceGroupName = "RG-DEMO-NE" #Define the existing VNet information. $networkName = "DEMO-VNET" |
Create a dedicated subnet for the App Gateway
First, you should create a new subnet for the App Gateway instances, this subnet is only to be used by the App Gateway. Use the Add-AzVirtualNetworkSubnetConfig cmdlet with the following syntax.
1 2 3 4 5 6 7 8 9 10 | $vNET = Get-AzVirtualNetwork -Name $networkName ` -ResourceGroupName $resourceGroupName Add-AzVirtualNetworkSubnetConfig -Name AppGw-Subnet ` -AddressPrefix "192.168.100.0/26" ` -VirtualNetwork $vNET Set-AzVirtualNetwork -VirtualNetwork $vNET |
Create a public IP address
Then you will need a public IP. To create a public IP address, you should use the New-AzPublicIpAddress cmdlet with the following syntax
1 2 3 4 5 6 7 8 9 | $publicIP = New-AzPublicIpAddress -Name PIP-AG-NE ` -ResourceGroupName $resourceGroupName ` -AllocationMethod Dynamic ` -Location $location ` -Sku Basic $publicIP | Select-Object Name, IpAddress, ProvisioningState |
Create the settings for the application gateway
In this section, you will create the resources and configure the previous settings. As you can see, each of the following commands loads the configurations into variables that will finally be used in the creation of the Application Gateway.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | ## Private IP and subnet configuration. $vNET = Get-AzVirtualNetwork -Name $networkName ` -ResourceGroupName $resourceGroupName $appGwSubnet = Get-AzVirtualNetworkSubnetConfig -Name AppGw-Subnet ` -VirtualNetwork $vNet $appGwIpConfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIP" ` -Subnet $appGwSubnet ## Create the backend group and set the configuration. $appGwBKPool = New-AzApplicationGatewayBackendAddressPool -Name "AppGwBKpool" $appGwBKPoolSettings = New-AzApplicationGatewayBackendHttpSetting -Name "AppGwpoolSettings" ` -Port 80 ` -Protocol Http ` -CookieBasedAffinity Disabled ` -RequestTimeout 30 ## Public IP and frontend port configuration. $appGwFESettings = New-AzApplicationGatewayFrontendPort -Name "AppGwFeSettings" ` -Port 80 $appGwFEIpConfig = New-AzApplicationGatewayFrontendIPConfig -Name "AppGwFEPIP" ` -PublicIPAddress $publicIP ## Create the listener and add a routing rule to the backend servers. $appGwListener = New-AzApplicationGatewayHttpListener -Name "AppGwListener" ` -Protocol Http ` -FrontendIPConfiguration $appGwFEIpConfig ` -FrontendPort $appGwFESettings $appGwRule = New-AzApplicationGatewayRequestRoutingRule -Name "AppGwRule" ` -RuleType Basic ` -BackendHttpSettings $appGwBKPoolSettings ` -HttpListener $appGwListener ` -BackendAddressPool $appGwBKPool |
Deploy the Azure Application Gateway
You will first need to set the SKU for the application gateway. Use the New-AzApplicationGatewaySku cmdlet with the following syntax. With this command, you set the size, the number of instances, and whether WAF is used.
1 2 3 4 5 | $sku = New-AzApplicationGatewaySku -Name WAF_Medium ` -Tier WAF ` -Capacity 2 |
Values accepted in the parameters:
–Name: Standard_Small, Standard_Medium, Standard_Large, WAF_Medium, WAF_Large, Standard_v2, WAF_v2.
-Tier: Standard, WAF, Standard_v2, WAF_v2.
-Capacity: Set the number of instances of an application gateway
and finally, you can create an Azure Application Gateway using the New-AzApplicationGateway cmdlet with the following syntax.
1 2 3 4 5 6 7 8 9 10 11 12 13 | New-AzApplicationGateway -Name "AG-DEMO-NE" ` -ResourceGroupName $resourceGroupName ` -Location $location ` -BackendAddressPools $appGWBKPool ` -BackendHttpSettingsCollection $appGwBKPoolSettings ` -FrontendIPConfigurations $appGwFEIpConfig ` -GatewayIPConfigurations $appGwIpConfig ` -FrontendPorts $appGwFESettings ` -HttpListeners $appGwListener ` -RequestRoutingRules $appGwRule ` -Sku $sku |
Note that the deployment of this resource will take approximately 20 minutes to complete. Once finished, we can continue with the remaining steps.
Enable the Web application firewall
Once the Application Gateway has been created, you can enable the Web Application Firewall (WAF). To do this, you should use the Set-AzApplicationGatewayWebApplicationFirewallConfiguration cmdlet with the following syntax. This process will take approximately 20 minutes to complete.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | $appGw = Get-AzApplicationGateway -Name "AG-DEMO-NE" ` -ResourceGroupName $resourceGroupName Set-AzApplicationGatewayWebApplicationFirewallConfiguration -ApplicationGateway $appGw ` -Enabled $true ` -FirewallMode Detection ` -RuleSetType OWASP ` -RuleSetVersion "3.0" Set-AzApplicationGateway -ApplicationGateway $appGw |
Values accepted in the parameters:
-FirewallMode: Detection, Prevention.
-RuleSetType: OWASP
Verify the deployment
You can use the following command to verify the deployment of the Azure Application Gateway.
1 2 3 4 5 | Get-AzApplicationGateway -Name "AG-DEMO-NE" ` -ResourceGroupName $resourceGroupName ` | Select-Object Name,OperationalState,ProvisioningState |
Now you can add your resources to the backend and use your Azure Application Gateway. In a future post, I will show you how to add resources to the backend pool and perform redirection tests.
Thanks for reading my post. I hope you find it useful.
If you want to know more about Azure Virtual Network NAT, check out this link: https://docs.microsoft.com/en-us/azure/application-gateway/overview