Create Web Application Firewall (WAF) custom rules with Azure PowerShell

This script creates an Application Gateway Web Application Firewall that uses custom rules. The custom rule blocks traffic if the request header contains User-Agent evilbot.


Azure PowerShell module

If you choose to install and use Azure PowerShell locally, this script requires the Azure PowerShell module version 2.1.0 or later.

  1. To find the version, run Get-Module -ListAvailable Az. If you need to upgrade, see Install Azure PowerShell module.
  2. To create a connection with Azure, run Connect-AzAccount.

If you don't have an Azure subscription, create an Azure free account before you begin.

Sample script

#Set up variables
$rgname = "CustomRulesTest"
$location = "East US"
$appgwName = "WAFCustomRules"

#Create a Resource Group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location

#Create a VNet
$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix ""
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix ""
$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
  -AddressPrefix "" -Subnet @($sub1, $sub2)

#Create a Static Public VIP
$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
  -location $location -AllocationMethod Static -Sku Standard

#Create pool and frontend port
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 80

#Create a listener, http setting, rule, and autoscale
$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Http `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01
$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting1" -Port 80 `
  -Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool
$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3
$sku = New-AzApplicationGatewaySku -Name WAF_v2 -Tier WAF_v2

#Create the custom rule and apply it to WAF policy
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector User-Agent
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "evilbot" -Transform Lowercase -NegationCondition $False  
$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
$policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafPolicy -ResourceGroup $rgname -Location $location -CustomRule $rule -PolicySetting $policy

#Create the Application Gateway
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname -Location $location -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 -FrontendPorts $fp01 -HttpListeners $listener01 -RequestRoutingRules $rule01 -Sku $sku -AutoscaleConfiguration $autoscaleConfig -FirewallPolicy $wafPolicy

Clean up deployment

Run the following command to remove the resource group, application gateway, and all related resources.

Remove-AzResourceGroup -Name CustomRulesTest

Script explanation

This script uses the following commands to create the deployment. Each item in the table links to command specific documentation.

Command Notes
New-AzResourceGroup Creates a resource group in which all resources are stored.
New-AzVirtualNetworkSubnetConfig Creates the subnet configuration.
New-AzVirtualNetwork Creates the virtual network using with the subnet configurations.
New-AzPublicIpAddress Creates the public IP address for the application gateway.
New-AzApplicationGatewayIPConfiguration Creates the configuration that associates a subnet with the application gateway.
New-AzApplicationGatewayFrontendIPConfig Creates the configuration that assigns a public IP address to the application gateway.
New-AzApplicationGatewayFrontendPort Assigns a port to be used to access the application gateway.
New-AzApplicationGatewayBackendAddressPool Creates a backend pool for an application gateway.
New-AzApplicationGatewayBackendHttpSettings Configures settings for a backend pool.
New-AzApplicationGatewayHttpListener Creates a listener.
New-AzApplicationGatewayRequestRoutingRule Creates a routing rule.
New-AzApplicationGatewaySku Specify the tier and capacity for an application gateway.
New-AzApplicationGateway Create an application gateway.
Remove-AzResourceGroup Removes a resource group and all resources contained within.
New-AzApplicationGatewayAutoscaleConfiguration Creates an autoscale configuration for the Application Gateway.
New-AzApplicationGatewayFirewallMatchVariable Creates a match variable for firewall condition.
New-AzApplicationGatewayFirewallCondition Creates a match condition for custom rule.
New-AzApplicationGatewayFirewallCustomRule Creates a new custom rule for the application gateway firewall policy.
New-AzApplicationGatewayFirewallPolicy Creates a application gateway firewall policy.
New-AzApplicationGatewayWebApplicationFirewallConfiguration Creates a WAF configuration for an application gateway.

Next steps