- Manage Activity Logs in Azure using PowerShell - Thu, Nov 25 2021
- Boost PowerShell with Resource Graph queries in Azure - Tue, Oct 19 2021
- Work with Azure management groups and subscriptions using PowerShell - Mon, Sep 27 2021
In the public internet, it is critical to secure web applications you manage. In Azure, you can easily protect publicly accessible web applications with AGs using web application firewall (WAF) capabilities. WAF features of AGs allow us to manage communication coming from the internet by placing web applications behind Application Gateways.
Creating a new Resource Group and an App Service plan ^
We are going to create a new Resource Group (RG) in which our web app and AG will reside. To create a new WebApp, we will need to create an App Service plan first. App Service plans have different pricing tiers based on the features they offer. We are going to use a free tier App Service plan for this scenario.
So let's create a new RG and an App Service plan using the commands below.
# Creating a new resource group $resourcegroup = New-AzureRmResourceGroup -Name 4SYSOPSTEST -Location Eastus # Creating a new App Service plan $WebAppName="4sysops-test$(Get-Random)" New-AzureRmAppServicePlan -Name $WebAppName ` -Location EastUs ` -ResourceGroupName $resourcegroup.ResourceGroupName ` -Tier Free
Creating a new Web App ^
Now we can create our Web Application using the following command:
$WebApp = New-AzureRmWebApp -ResourceGroupName $resourcegroup.ResourceGroupName ` -Name $WebAppName ` -Location EastUs ` -AppServicePlan $WebAppName $WebApp
We can now navigate the URL of the Web App using the following command:
$browser= New-Object -ComObject "InternetExplorer.Application" $browser.visible=$true $browser.navigate2($webapp.defaulthostname)
Creating Application Gateway prerequisites ^
We've already confirmed the WebApp is functioning properly. The next step will be to spin up a new Application Gateway and place our Web App behind it. As the first step of creating a new Application Gateway we will create a new virtual network (VNet) and a subnet so we can associate it with the AG at the time of creation.
Create a new VNet and subnet
To create a new VNet and a subnet, you can use the following commands:
$subnet = New-AzureRmVirtualNetworkSubnetConfig -Name Subnet01 ` -AddressPrefix 192.168.10.0/24 ` -WarningAction SilentlyContinue $AppGatewayVNET = New-AzureRmVirtualNetwork -Name AppGatewayVNET ` -ResourceGroupName $resourcegroup.ResourceGroupName ` -Location EastUs ` -AddressPrefix 192.168.0.0/16 ` -Subnet $subnet ` -WarningAction SilentlyContinue $subnet=$AppGatewayVNET.Subnets
Create a new public IP address
We need to create a public IP address in advance and later assign it to the AG to make it reachable from the internet.
Use the command below to create a new public IP address:
$publicip = New-AzureRmPublicIpAddress -ResourceGroupName $resourcegroup.ResourceGroupName ` -name AppGatewayPublicIP01 ` -location EastUs ` -AllocationMethod Dynamic
This creates the public IP resource. The IP information will be visible after assigning it to the AG.
Creating Application Gateway components ^
Now we can create other Application Gateway components using the following commands. These components must be ready before creating the AG.
# Creating a new IP configuration $gipconfig = New-AzureRmApplicationGatewayIPConfiguration -Name gatewayIPconfig01 ` -Subnet $subnet # Creating a new backend pool pointing to the hostname of the web app that we have created earlier $pool = New-AzureRmApplicationGatewayBackendAddressPool -Name GatewayBackendPool01 ` -BackendFqdns $WebApp.HostNames # Creating a health probe $probe = New-AzureRmApplicationGatewayProbeConfig -name Gatewayappprobe01 ` -Protocol Http ` -Path / ` -Interval 30 ` -Timeout 120 ` -UnhealthyThreshold 3 ` -PickHostNameFromBackendHttpSettings # Creating a new backend http settings $httpSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name GatewayBackendHttpSettings01 ` -Port 80 ` -Protocol Http ` -CookieBasedAffinity Disabled ` -RequestTimeout 120 ` -PickHostNameFromBackendAddress ` -Probe $probe # Creating a new front-end port $fp = New-AzureRmApplicationGatewayFrontendPort -Name gatewayfrontendport01 ` -Port 80 # Creating a new front end IP configuration $fipconfig = New-AzureRmApplicationGatewayFrontendIPConfig -Name gatewayfipconfig01 ` -PublicIPAddress $publicip # Creating a new listener using the front-end IP configuration and port that we have created earlier $listener = New-AzureRmApplicationGatewayHttpListener -Name listener01 ` -Protocol Http ` -FrontendIPConfiguration $fipconfig ` -FrontendPort $fp # Creating a new rule $rule = New-AzureRmApplicationGatewayRequestRoutingRule -Name rule01 ` -RuleType Basic ` -BackendHttpSettings $httpSetting ` -HttpListener $listener ` -BackendAddressPool $pool # Specifying the Application Gateway SKU $sku = New-AzureRmApplicationGatewaySku -Name WAF_Medium ` -Tier WAF ` -Capacity 2
Creating an Application Gateway ^
Once all required components are ready, we can then proceed to create the AG using the following command. This command basically calls out all required components that we've just created above.
# Creating the Application Gateway resource $appgw = New-AzureRmApplicationGateway -Name 4sysopsAppGateway01 ` -ResourceGroupName $resourcegroup.ResourceGroupName ` -Location EastUs ` -BackendAddressPools $pool ` -BackendHttpSettingsCollection $httpSetting ` -Probes $probe ` -FrontendIpConfigurations $fipconfig ` -GatewayIpConfigurations $gipconfig ` -FrontendPorts $fp ` -HttpListeners $listener ` -RequestRoutingRules $rule ` -Sku $sku
Validating the communication ^
We have now created and configured our AG with WAF. The AG now accepts requests from the internet and redirects them to the Web App seamlessly.
To check the communication, we need to get the public IP address or DNS name of the AG. Since we associated the AG with the public IP address, we should now be able to get this information using the following command:
Get-AzureRmPublicIpAddress -Name "AppGatewayPublicIP01" ` -ResourceGroupName 4sysopstest
We can use either the fully qualified domain name (FQDN) or the IP address of the AG to reach the Web Application behind it. In my case, I've added an entry to the hosts file to be able to resolve a custom DNS name.
The result is as follows. The web application we've created is now reachable through the AG (WAF).
In a real-world scenario, you may want to create a canonical name (CNAME) record in your public DNS and point it to the public IP address of the Application Gateway. That way, the request will go directly to the AG, and the gateway will take care of the rest to redirect the requests to the web apps in the background.
Additionally, to prevent direct internet access to the web apps, you may set up an IP restriction at the Web App level to accept requests only from the AG.
Subscribe to 4sysops newsletter!
In this post, we've seen how to create and configure Application Gateways and how to place Web Apps behind AGs for a more secure communication.