Deploy an Azure Application Gateway with Azure Web Application Firewall

The aim of this blog is to breakdown the deployment of your Application Gateway with a WAF policy, into 9 easily repeatable steps using powershell.

Step 1 - Set the focus of your subscription

Connect-AzAccount -Identity
Set-AzContext -Subscription 'your subscription'

Step 2 - Create a Resource Group

Create your resource group container for your Application Gateway resources with tags

$ResourceGroupName = "allen-sandbox-ApplicationGateway"
$location = "southafricanorth"


New-AzResourceGroup `
-Name $resourceGroupName `
-Location $location `
-Tag @{CustomerName="Customer01"; AutoShutdownSchedule="None"; Environment="sandbox";}

Step 3 - Create a public ip address with tagging

$publicIP = New-AzPublicIpAddress `
    -Name pip-apgw `
    -ResourceGroupName $resourceGroupName `
    -AllocationMethod static `
    -Location $location `
    -Sku Standard `
    -Tag @{CustomerName="Customer01"; AutoShutdownSchedule="None"; Environment="sandbox";}

$publicIP | Select-Object Name, IpAddress, ProvisioningState

Step 4 - Create a private IP and associate it to a destination subnet

Identify the target subnet of your private ip address:

$ResourceGroupNameVnet = "allen-home"
$vnetname = "vnet-south-africa"
$appgwsubnetname = "sub3"
$appgwsubnetcidr = "10.0.1.64/27"

$virtualnetworkvar = Get-AzVirtualNetwork `
    -Name $vnetname `
    -ResourceGroupName $ResourceGroupNameVnet

$appGwSubnet = Get-AzVirtualNetworkSubnetConfig `
    -Name $appgwsubnetname `
    -VirtualNetwork $virtualnetworkvar

$appGwIpConfig = New-AzApplicationGatewayIPConfiguration `
    -Name "appgwipconfig" `
    -Subnet $appGwSubnet

Step 5 - Create your backend group (without backend targets)

(Since your backend targets are bespoke, the pool is created empty)

$appGwBKPool = New-AzApplicationGatewayBackendAddressPool `
    -Name "AppGwBKpool"

$appGwBKPoolSettings = New-AzApplicationGatewayBackendHttpSetting `
    -Name "AppGwpoolSettings" `
    -Port 80 `
    -Protocol Http `
    -CookieBasedAffinity Disabled `
    -RequestTimeout 30

Step 6 - Create a Public IP and frontend port configuration

$appGwFESettings = New-AzApplicationGatewayFrontendPort `
    -Name "AppGwFeSettings" `
    -Port 80

$appGwFEIpConfig = New-AzApplicationGatewayFrontendIPConfig `
    -Name "AppGwFEPIP" `
    -PublicIPAddress $publicIP

Step 7 - Create the listener and add a routing rule to the backend targets

$appGwListener = New-AzApplicationGatewayHttpListener `
    -Name "AppGwListener" `
    -Protocol Http `
    -FrontendIPConfiguration $appGwFEIpConfig `
    -FrontendPort $appGwFESettings

$appGwRule = New-AzApplicationGatewayRequestRoutingRule `
    -Name "AppGwRule" `
    -RuleType Basic `
	-Priority 100 `
    -BackendHttpSettings $appGwBKPoolSettings `
    -HttpListener $appGwListener `
    -BackendAddressPool $appGwBKPool

Step 8 - Set the Application Gateway SKU

$sku = New-AzApplicationGatewaySku `
  -Name WAF_v2 `
  -Tier WAF_v2 `
  -Capacity 2

Step 9 - Configure the Firewall Policy

$policySetting = New-AzApplicationGatewayFirewallPolicySetting `
   -Mode Prevention -State Enabled `
   -MaxRequestBodySizeInKb 100 -MaxFileUploadInMb 256

$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafpolicyNew -ResourceGroup $resourceGroupName `
   -Location $location -PolicySetting $PolicySetting

Step 10 - Deploy the Application Gateway instance

$ResourceGroupName = "allen-sandbox-ApplicationGateway"
New-AzApplicationGateway `
    -Name "ALLEN-DEMO-NE" `
    -ResourceGroupName $ResourceGroupName `
    -Location $location `
    -BackendAddressPools $appGWBKPool `
    -BackendHttpSettingsCollection $appGwBKPoolSettings `
    -FrontendIPConfigurations $appGwFEIpConfig `
    -GatewayIPConfigurations $appGwIpConfig `
    -FrontendPorts $appGwFESettings `
    -HttpListeners $appGwListener `
    -RequestRoutingRules $appGwRule `
    -Sku $sku `
    -FirewallPolicy $wafPolicy `
    -Tag @{CustomerName="Customer01"; AutoShutdownSchedule="None"; Environment="sandbox";} 	

--I hope my blog simplified the process of deploying your Application Gateway with a WAF_v2--

9 comments

The articles you write help me a lot and I like the topic

Thanks for posting. I really enjoyed reading it, especially because it addressed my problem. It helped me a lot and I hope it will help others too.

You’ve been great to me. Thank you!

You helped me a lot with this post. I love the subject and I hope you continue to write excellent articles like this.

May I have information on the topic of your article?

My brother recommended I might like this website. He was entirely right. This post truly made my day. You cann’t imagine just how much time I had spent for this info! Thanks!

Your articles are extremely helpful to me. May I ask for more information?

Youre so cool! I dont suppose Ive learn something like this before. So nice to search out any individual with some original thoughts on this subject. realy thanks for beginning this up. this web site is something that is needed on the internet, somebody with a little originality. useful job for bringing one thing new to the web!

I found your blog web site on google and verify just a few of your early posts. Proceed to keep up the superb operate. I simply additional up your RSS feed to my MSN News Reader. Seeking ahead to studying more from you later on!?

9 comments

Leave a comment Cancel reply