In this post, I will walk you through the steps for creating a new Application Gateway (AG) and publishing web applications behind AGs in Azure using PowerShell.

In the public internet, it is critical to secure web applications you manage. In Azure, you can easily protect publicly accessible web applications with AGs using web application firewall (WAF) capabilities. WAF features of AGs allow us to manage communication coming from the internet by placing web applications behind Application Gateways.

Creating a new Resource Group and an App Service plan ^

We are going to create a new Resource Group (RG) in which our web app and AG will reside. To create a new WebApp, we will need to create an App Service plan first. App Service plans have different pricing tiers based on the features they offer. We are going to use a free tier App Service plan for this scenario.

So let's create a new RG and an App Service plan using the commands below.

# Creating a new resource group

$resourcegroup = New-AzureRmResourceGroup -Name 4SYSOPSTEST -Location Eastus

# Creating a new App Service plan

$WebAppName="4sysops-test$(Get-Random)"

New-AzureRmAppServicePlan -Name $WebAppName `
-Location EastUs `
-ResourceGroupName $resourcegroup.ResourceGroupName `
-Tier Free
Creating a new Resource Group and an App Service plan

Creating a new Resource Group and an App Service plan

Creating a new Web App ^

Now we can create our Web Application using the following command:

$WebApp = New-AzureRmWebApp -ResourceGroupName $resourcegroup.ResourceGroupName `
-Name $WebAppName `
-Location EastUs `
-AppServicePlan $WebAppName

$WebApp
Creating a new Web App in Azure

Creating a new Web App in Azure

We can now navigate the URL of the Web App using the following command:

$browser= New-Object -ComObject "InternetExplorer.Application"
$browser.visible=$true
$browser.navigate2($webapp.defaulthostname)
Navigating to the Web App using its own public URL

Navigating to the Web App using its own public URL

Creating Application Gateway prerequisites ^

We've already confirmed the WebApp is functioning properly. The next step will be to spin up a new Application Gateway and place our Web App behind it. As the first step of creating a new Application Gateway we will create a new virtual network (VNet) and a subnet so we can associate it with the AG at the time of creation.

Create a new VNet and subnet

To create a new VNet and a subnet, you can use the following commands:

$subnet = New-AzureRmVirtualNetworkSubnetConfig -Name Subnet01 `
-AddressPrefix 192.168.10.0/24 `
-WarningAction SilentlyContinue

$AppGatewayVNET = New-AzureRmVirtualNetwork -Name AppGatewayVNET `
-ResourceGroupName $resourcegroup.ResourceGroupName `
-Location EastUs `
-AddressPrefix 192.168.0.0/16 `
-Subnet $subnet `
-WarningAction SilentlyContinue

$subnet=$AppGatewayVNET.Subnets[0]
Creating a new VNet and a subnet for the Application Gateway

Creating a new VNet and a subnet for the Application Gateway

Create a new public IP address

We need to create a public IP address in advance and later assign it to the AG to make it reachable from the internet.

Use the command below to create a new public IP address:

$publicip = New-AzureRmPublicIpAddress -ResourceGroupName $resourcegroup.ResourceGroupName `
-name AppGatewayPublicIP01 `
-location EastUs `
-AllocationMethod Dynamic
Creating a new public IP address to assign to the AG

Creating a new public IP address to assign to the AG

This creates the public IP resource. The IP information will be visible after assigning it to the AG.

Creating Application Gateway components ^

Now we can create other Application Gateway components using the following commands. These components must be ready before creating the AG.

# Creating a new IP configuration
$gipconfig = New-AzureRmApplicationGatewayIPConfiguration -Name gatewayIPconfig01 `
-Subnet $subnet

# Creating a new backend pool pointing to the hostname of the web app that we have created earlier
$pool = New-AzureRmApplicationGatewayBackendAddressPool -Name GatewayBackendPool01 `
-BackendFqdns $WebApp.HostNames

# Creating a health probe
$probe = New-AzureRmApplicationGatewayProbeConfig -name Gatewayappprobe01 `
-Protocol Http `
-Path / `
-Interval 30 `
-Timeout 120 `
-UnhealthyThreshold 3 `
-PickHostNameFromBackendHttpSettings

# Creating a new backend http settings
$httpSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name GatewayBackendHttpSettings01 `
-Port 80 `
-Protocol Http `
-CookieBasedAffinity Disabled `
-RequestTimeout 120 `
-PickHostNameFromBackendAddress `
-Probe $probe

# Creating a new front-end port
$fp = New-AzureRmApplicationGatewayFrontendPort -Name gatewayfrontendport01 `
-Port 80

# Creating a new front end IP configuration
$fipconfig = New-AzureRmApplicationGatewayFrontendIPConfig -Name gatewayfipconfig01 `
-PublicIPAddress $publicip

# Creating a new listener using the front-end IP configuration and port that we have created earlier
$listener = New-AzureRmApplicationGatewayHttpListener -Name listener01 `
-Protocol Http `
-FrontendIPConfiguration $fipconfig `
-FrontendPort $fp

# Creating a new rule
$rule = New-AzureRmApplicationGatewayRequestRoutingRule -Name rule01 `
-RuleType Basic `
-BackendHttpSettings $httpSetting `
-HttpListener $listener `
-BackendAddressPool $pool

# Specifying the Application Gateway SKU
$sku = New-AzureRmApplicationGatewaySku -Name WAF_Medium `
-Tier WAF `
-Capacity 2
Creating Application Gateway components

Creating Application Gateway components

Creating an Application Gateway ^

Once all required components are ready, we can then proceed to create the AG using the following command. This command basically calls out all required components that we've just created above.

# Creating the Application Gateway resource
$appgw = New-AzureRmApplicationGateway -Name 4sysopsAppGateway01 `
-ResourceGroupName $resourcegroup.ResourceGroupName `
-Location EastUs `
-BackendAddressPools $pool `
-BackendHttpSettingsCollection $httpSetting `
-Probes $probe `
-FrontendIpConfigurations $fipconfig `
-GatewayIpConfigurations $gipconfig `
-FrontendPorts $fp `
-HttpListeners $listener `
-RequestRoutingRules $rule `
-Sku $sku
Creating an Application Gateway

Creating an Application Gateway

Validating the communication ^

We have now created and configured our AG with WAF. The AG now accepts requests from the internet and redirects them to the Web App seamlessly.

To check the communication, we need to get the public IP address or DNS name of the AG. Since we associated the AG with the public IP address, we should now be able to get this information using the following command:

Get-AzureRmPublicIpAddress -Name "AppGatewayPublicIP01" `
-ResourceGroupName 4sysopstest
Getting the public IP Address and DNS settings of the Application Gateway

Getting the public IP Address and DNS settings of the Application Gateway

We can use either the fully qualified domain name (FQDN) or the IP address of the AG to reach the Web Application behind it. In my case, I've added an entry to the hosts file to be able to resolve a custom DNS name.

The result is as follows. The web application we've created is now reachable through the AG (WAF).

Validating the communication

Validating the communication

In a real-world scenario, you may want to create a canonical name (CNAME) record in your public DNS and point it to the public IP address of the Application Gateway. That way, the request will go directly to the AG, and the gateway will take care of the rest to redirect the requests to the web apps in the background.

Additionally, to prevent direct internet access to the web apps, you may set up an IP restriction at the Web App level to accept requests only from the AG.

Subscribe to 4sysops newsletter!

Conclusion ^

In this post, we've seen how to create and configure Application Gateways and how to place Web Apps behind AGs for a more secure communication.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account