| title | description | services | author | manager | tags | ms.service | ms.topic | ms.workload | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|
Restrict web traffic with a web application firewall - Azure PowerShell |
Learn how to restrict web traffic with a web application firewall on an application gateway using Azure PowerShell. |
application-gateway |
vhorne |
jpconnock |
azure-resource-manager |
application-gateway |
tutorial |
infrastructure-services |
7/13/2018 |
victorh |
mvc |
You can restrict traffic on an application gateway with a web application firewall (WAF). The WAF uses OWASP rules to protect your application. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.
In this tutorial, you learn how to:
[!div class="checklist"]
- Set up the network
- Create an application gateway with WAF enabled
- Create a virtual machine scale set
- Create a storage account and configure diagnostics
If you prefer, you can complete this tutorial using Azure CLI.
If you don't have an Azure subscription, create a free account before you begin.
[!INCLUDE cloud-shell-powershell.md]
If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version 3.6 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Login-AzureRmAccount to create a connection with Azure.
A resource group is a logical container into which Azure resources are deployed and managed. Create an Azure resource group using New-AzureRmResourceGroup.
New-AzureRmResourceGroup -Name myResourceGroupAG -Location eastus
Create the subnet configurations named myBackendSubnet and myAGSubnet using New-AzureRmVirtualNetworkSubnetConfig. Create the virtual network named myVNet using New-AzureRmVirtualNetwork with the subnet configurations. And finally, create the public IP address named myAGPublicIPAddress using New-AzureRmPublicIpAddress. These resources are used to provide network connectivity to the application gateway and its associated resources.
$backendSubnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
-Name myBackendSubnet `
-AddressPrefix 10.0.1.0/24
$agSubnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
-Name myAGSubnet `
-AddressPrefix 10.0.2.0/24
$vnet = New-AzureRmVirtualNetwork `
-ResourceGroupName myResourceGroupAG `
-Location eastus `
-Name myVNet `
-AddressPrefix 10.0.0.0/16 `
-Subnet $backendSubnetConfig, $agSubnetConfig
$pip = New-AzureRmPublicIpAddress `
-ResourceGroupName myResourceGroupAG `
-Location eastus `
-Name myAGPublicIPAddress `
-AllocationMethod Dynamic
In this section you create resources that support the application gateway, and then finally create it and a WAF. The resources that you create include:
- IP configurations and frontend port - Associates the subnet that you previously created to the application gateway and assigns a port to use to access it.
- Default pool - All application gateways must have at least one backend pool of servers.
- Default listener and rule - The default listener listens for traffic on the port that was assigned and the default rule sends traffic to the default pool.
Associate myAGSubnet that you previously created to the application gateway using New-AzureRmApplicationGatewayIPConfiguration. Assign myAGPublicIPAddress to the application gateway using New-AzureRmApplicationGatewayFrontendIPConfig.
$vnet = Get-AzureRmVirtualNetwork `
-ResourceGroupName myResourceGroupAG `
-Name myVNet
$subnet=$vnet.Subnets[0]
$gipconfig = New-AzureRmApplicationGatewayIPConfiguration `
-Name myAGIPConfig `
-Subnet $subnet
$fipconfig = New-AzureRmApplicationGatewayFrontendIPConfig `
-Name myAGFrontendIPConfig `
-PublicIPAddress $pip
$frontendport = New-AzureRmApplicationGatewayFrontendPort `
-Name myFrontendPort `
-Port 80
Create the backend pool named appGatewayBackendPool for the application gateway using New-AzureRmApplicationGatewayBackendAddressPool. Configure the settings for the backend address pools using New-AzureRmApplicationGatewayBackendHttpSettings.
$defaultPool = New-AzureRmApplicationGatewayBackendAddressPool `
-Name appGatewayBackendPool
$poolSettings = New-AzureRmApplicationGatewayBackendHttpSettings `
-Name myPoolSettings `
-Port 80 `
-Protocol Http `
-CookieBasedAffinity Enabled `
-RequestTimeout 120
A listener is required to enable the application gateway to route traffic appropriately to the backend address pools. In this example, you create a basic listener that listens for traffic at the root URL.
Create a listener named mydefaultListener using New-AzureRmApplicationGatewayHttpListener with the frontend configuration and frontend port that you previously created. A rule is required for the listener to know which backend pool to use for incoming traffic. Create a basic rule named rule1 using New-AzureRmApplicationGatewayRequestRoutingRule.
$defaultlistener = New-AzureRmApplicationGatewayHttpListener `
-Name mydefaultListener `
-Protocol Http `
-FrontendIPConfiguration $fipconfig `
-FrontendPort $frontendport
$frontendRule = New-AzureRmApplicationGatewayRequestRoutingRule `
-Name rule1 `
-RuleType Basic `
-HttpListener $defaultlistener `
-BackendAddressPool $defaultPool `
-BackendHttpSettings $poolSettings
Now that you created the necessary supporting resources, specify parameters for the application gateway using New-AzureRmApplicationGatewaySku. Specify the WAF configuration using New-AzureRmApplicationGatewayWebApplicationFirewallConfiguration. And then create the application gateway named myAppGateway using New-AzureRmApplicationGateway.
$sku = New-AzureRmApplicationGatewaySku `
-Name WAF_Medium `
-Tier WAF `
-Capacity 2
$wafConfig = New-AzureRmApplicationGatewayWebApplicationFirewallConfiguration `
-Enabled $true `
-FirewallMode "Detection"
$appgw = New-AzureRmApplicationGateway `
-Name myAppGateway `
-ResourceGroupName myResourceGroupAG `
-Location eastus `
-BackendAddressPools $defaultPool `
-BackendHttpSettingsCollection $poolSettings `
-FrontendIpConfigurations $fipconfig `
-GatewayIpConfigurations $gipconfig `
-FrontendPorts $frontendport `
-HttpListeners $defaultlistener `
-RequestRoutingRules $frontendRule `
-Sku $sku `
-WebApplicationFirewallConfig $wafConfig
In this example, you create a virtual machine scale set to provide servers for the backend pool in the application gateway. You assign the scale set to the backend pool when you configure the IP settings.
$vnet = Get-AzureRmVirtualNetwork `
-ResourceGroupName myResourceGroupAG `
-Name myVNet
$appgw = Get-AzureRmApplicationGateway `
-ResourceGroupName myResourceGroupAG `
-Name myAppGateway
$backendPool = Get-AzureRmApplicationGatewayBackendAddressPool `
-Name appGatewayBackendPool `
-ApplicationGateway $appgw
$ipConfig = New-AzureRmVmssIpConfig `
-Name myVmssIPConfig `
-SubnetId $vnet.Subnets[1].Id `
-ApplicationGatewayBackendAddressPoolsId $backendPool.Id
$vmssConfig = New-AzureRmVmssConfig `
-Location eastus `
-SkuCapacity 2 `
-SkuName Standard_DS2 `
-UpgradePolicyMode Automatic
Set-AzureRmVmssStorageProfile $vmssConfig `
-ImageReferencePublisher MicrosoftWindowsServer `
-ImageReferenceOffer WindowsServer `
-ImageReferenceSku 2016-Datacenter `
-ImageReferenceVersion latest
-OsDiskCreateOption FromImage
Set-AzureRmVmssOsProfile $vmssConfig `
-AdminUsername azureuser `
-AdminPassword "Azure123456!" `
-ComputerNamePrefix myvmss
Add-AzureRmVmssNetworkInterfaceConfiguration `
-VirtualMachineScaleSet $vmssConfig `
-Name myVmssNetConfig `
-Primary $true `
-IPConfiguration $ipConfig
New-AzureRmVmss `
-ResourceGroupName myResourceGroupAG `
-Name myvmss `
-VirtualMachineScaleSet $vmssConfig
$publicSettings = @{ "fileUris" = (,"https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/appgatewayurl.ps1");
"commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File appgatewayurl.ps1" }
$vmss = Get-AzureRmVmss -ResourceGroupName myResourceGroupAG -VMScaleSetName myvmss
Add-AzureRmVmssExtension -VirtualMachineScaleSet $vmss `
-Name "customScript" `
-Publisher "Microsoft.Compute" `
-Type "CustomScriptExtension" `
-TypeHandlerVersion 1.8 `
-Setting $publicSettings
Update-AzureRmVmss `
-ResourceGroupName myResourceGroupAG `
-Name myvmss `
-VirtualMachineScaleSet $vmss
In this tutorial, the application gateway uses a storage account to store data for detection and prevention purposes. You could also use Log Analytics or Event Hub to record data.
Create a storage account named myagstore1 using New-AzureRmStorageAccount.
$storageAccount = New-AzureRmStorageAccount `
-ResourceGroupName myResourceGroupAG `
-Name myagstore1 `
-Location eastus `
-SkuName "Standard_LRS"
Configure diagnostics to record data into the ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, and ApplicationGatewayFirewallLog logs using Set-AzureRmDiagnosticSetting.
$appgw = Get-AzureRmApplicationGateway `
-ResourceGroupName myResourceGroupAG `
-Name myAppGateway
$store = Get-AzureRmStorageAccount `
-ResourceGroupName myResourceGroupAG `
-Name myagstore1
Set-AzureRmDiagnosticSetting `
-ResourceId $appgw.Id `
-StorageAccountId $store.Id `
-Categories ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog `
-Enabled $true `
-RetentionEnabled $true `
-RetentionInDays 30
You can use Get-AzureRmPublicIPAddress to get the public IP address of the application gateway. Copy the public IP address, and then paste it into the address bar of your browser.
Get-AzureRmPublicIPAddress -ResourceGroupName myResourceGroupAG -Name myAGPublicIPAddress
When no longer needed, remove the resource group, application gateway, and all related resources using Remove-AzureRmResourceGroup.
Remove-AzureRmResourceGroup -Name myResourceGroupAG
In this tutorial, you learned how to:
[!div class="checklist"]
- Set up the network
- Create an application gateway with WAF enabled
- Create a virtual machine scale set
- Create a storage account and configure diagnostics
[!div class="nextstepaction"] Create an application gateway with SSL termination