Restrict web traffic using the Azure CLI
This script creates an application gateway with a web application firewall that uses a virtual machine scale set for backend servers. The web application firewall restricts web traffic based on OWASP rules. After running the script, you can test the application gateway using its public IP address.
To run this sample, install the latest version of the Azure CLI. To start, run az login
to create a connection with Azure.
Samples for the Azure CLI are written for the bash
shell. To run this sample in Windows PowerShell or Command Prompt, you may need to change
elements of the script.
If you don't have an Azure subscription, create an Azure free account before you begin.
Sample script
# Create a resource group
az group create --name myResourceGroupAG --location eastus
# Create network resources
az network vnet create \
--name myVNet \
--resource-group myResourceGroupAG \
--location eastus \
--address-prefix 10.0.0.0/16 \
--subnet-name myAGSubnet \
--subnet-prefix 10.0.1.0/24
az network vnet subnet create \
--name myBackendSubnet \
--resource-group myResourceGroupAG \
--vnet-name myVNet \
--address-prefix 10.0.2.0/24
az network public-ip create \
--resource-group myResourceGroupAG \
--name myAGPublicIPAddress
# Create the application gateway with WAF
az network application-gateway create \
--name myAppGateway \
--location eastus \
--resource-group myResourceGroupAG \
--vnet-name myVNet \
--subnet myAGSubnet \
--capacity 2 \
--sku WAF_Medium \
--http-settings-cookie-based-affinity Disabled \
--frontend-port 80 \
--http-settings-port 80 \
--http-settings-protocol Http \
--public-ip-address myAGPublicIPAddress
az network application-gateway waf-config set \
--enabled true \
--gateway-name myAppGateway \
--resource-group myResourceGroupAG \
--firewall-mode Detection \
--rule-set-version 3.0
# Create a virtual machine scale set
az vmss create \
--name myvmss \
--resource-group myResourceGroupAG \
--image Ubuntu2204 \
--admin-username azureuser \
--admin-password Azure123456! \
--instance-count 2 \
--vnet-name myVNet \
--subnet myBackendSubnet \
--vm-sku Standard_DS2 \
--upgrade-policy-mode Automatic \
--app-gateway myAppGateway \
--backend-pool-name appGatewayBackendPool
# Install NGINX
az vmss extension set \
--publisher Microsoft.Azure.Extensions \
--version 2.0 \
--name CustomScript \
--resource-group myResourceGroupAG \
--vmss-name myvmss \
--settings '{ "fileUris": ["https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/install_nginx.sh"], "commandToExecute": "./install_nginx.sh" }'
# Create a storage account
az storage account create \
--name myagstore1 \
--resource-group myResourceGroupAG \
--location eastus \
--sku Standard_LRS \
--encryption blob
# Configure diagnostics
appgwid=$(az network application-gateway show --name myAppGateway --resource-group myResourceGroupAG --query id -o tsv)
storeid=$(az storage account show --name myagstore1 --resource-group myResourceGroupAG --query id -o tsv)
az monitor diagnostic-settings create --name appgwdiag --resource $appgwid \
--logs '[ { "category": "ApplicationGatewayAccessLog", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } }, { "category": "ApplicationGatewayPerformanceLog", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } }, { "category": "ApplicationGatewayFirewallLog", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } } ]' \
--storage-account $storeid
# Get the IP address
az network public-ip show \
--resource-group myResourceGroupAG \
--name myAGPublicIPAddress \
--query [ipAddress] \
--output tsv
Clean up deployment
Run the following command to remove the resource group, application gateway, and all related resources.
az group delete --name myResourceGroupAG --yes
Script explanation
This script uses the following commands to create the deployment. Each item in the table links to command specific documentation.
Command | Notes |
---|---|
az group create | Creates a resource group in which all resources are stored. |
az network vnet create | Creates a virtual network. |
az network vnet subnet create | Creates a subnet in a virtual network. |
az network public-ip create | Creates the public IP address for the application gateway. |
az network application-gateway create | Create an application gateway. |
az vmss create | Creates a virtual machine scale set. |
az storage account create | Creates a storage account. |
az monitor diagnostic-settings create | Creates a storage account. |
az network public-ip show | Gets the public IP address of the application gateway. |
Next steps
For more information on the Azure CLI, see Azure CLI documentation.