| title | titleSuffix | description | services | author | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|
Quickstart: Create an Azure WAF v2 on Application Gateway - Bicep |
Azure Application Gateway |
Learn how to use Bicep to create a Web Application Firewall v2 on Azure Application Gateway. |
web-application-firewall |
vhorne |
azure-web-application-firewall |
quickstart |
10/16/2023 |
victorh |
subject-armqs, devx-track-azurepowershell, mode-arm, devx-track-bicep |
In this quickstart, you use Bicep to create an Azure Web Application Firewall v2 on Application Gateway.
[!INCLUDE About Bicep]
[!INCLUDE updated-for-az]
- An Azure account with an active subscription. Create an account for free.
This Bicep file creates a simple Web Application Firewall v2 on Azure Application Gateway. This includes a public IP frontend IP address, HTTP settings, a rule with a basic listener on port 80, and a backend pool. The file also creates a WAF policy with a custom rule to block traffic to the backend pool based on an IP address match type.
The Bicep file used in this quickstart is from Azure Quickstart Templates.
:::code language="bicep" source="~/quickstart-templates/demos/ag-docs-wafv2/main.bicep":::
Multiple Azure resources are defined in the Bicep file:
- Microsoft.Network/applicationgateways
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
- Microsoft.Network/publicIPAddresses : one for the application gateway, and two for the virtual machines.
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Compute/virtualMachines : two virtual machines
- Microsoft.Network/networkInterfaces : two for the virtual machines
- Microsoft.Compute/virtualMachine/extensions : to configure IIS and the web pages
-
Save the Bicep file as main.bicep to your local computer.
-
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
az group create --name exampleRG --location eastus az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-user>New-AzResourceGroup -Name exampleRG -Location eastus New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -adminUsername "<admin-user>"
Note
You'll be prompted to enter adminPassword, which is the password for the admin account on the backend servers. The password must be between 8-123 characters long and must contain at least three of the following: an uppercase character, a lowercase character, a numeric digit, or a special character.
When the deployment finishes, you should see a message indicating the deployment succeeded. The deployment can take 10 minutes or longer to complete.
Although IIS isn't required to create the application gateway, it's installed on the backend servers to verify if Azure successfully created a WAF v2 on the application gateway.
Use IIS to test the application gateway:
-
Find the public IP address for the application gateway on its Overview page.
-
Copy the public IP address, and then paste it into the address bar of your browser to browse that IP address.
-
Check the response. A 403 Forbidden response verifies that the WAF was successfully created and is blocking connections to the backend pool.
-
Change the custom rule to Allow traffic using Azure PowerShell.
$rgName = "exampleRG" $appGWName = "myAppGateway" $fwPolicyName = "WafPol01" # Pull the existing Azure resources $appGW = Get-AzApplicationGateway -Name $appGWName -ResourceGroupName $rgName $pol = Get-AzApplicationGatewayFirewallPolicy -Name $fwPolicyName -ResourceGroupName $rgName # Update the resources $pol[0].CustomRules[0].Action = "allow" $appGW.FirewallPolicy = $pol # Push your changes to Azure Set-AzApplicationGatewayFirewallPolicy -Name $fwPolicyName -ResourceGroupName $rgName -CustomRule $pol.CustomRules Set-AzApplicationGateway -ApplicationGateway $appGW
Refresh your browser multiple times and you should see connections to both myVM1 and myVM2.
When you no longer need the resources that you created with the application gateway, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group. This removes the application gateway and all the related resources.
az group delete --name exampleRG
Remove-AzResourceGroup -Name exampleRG
[!div class="nextstepaction"] Tutorial: Create an application gateway with a Web Application Firewall using the Azure portal