Create and deploy an Azure App Gateway with Web Application Firewall (WAF) using the Azure CLI (2024)

Table of Contents
Step 1 - Create and deploy a web app service Step 2 - Create a public IP address and DNS A-Record for the app gateway to use Step 3 - Create VNET with a designated app gateway subnet Step 4 - Create an application gateway with sku WAF_v2 Step 5 - Create a backend health probe Step 6 - Modify the app gateways http-settings Step 7 - Enable the WAF and set to detection mode Step 8 - Using the portal verify the resources
Create and deploy an Azure App Gateway with Web Application Firewall (WAF) using the Azure CLI (1)

In this article, I will show you how to create and deploy an Azure app gateway with WAF web application firewall using the Azure CLI.

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attack.

This took a bit of poking at to get working with both the Portal and CLI, so if you have tried to deploy this and failed I don't blame you... I have tried to boil this down the minimum required steps for you.

Here are the steps to help you complete this task:

Step 1 - Create and deploy a web app service

Create the resource group:

az group create --name TestResourceGroup --location westus

Create the app service plan:

az appservice plan create -g TestResourceGroup -n TestAppServicePlan --sku B1

Create the web app:

az webapp create -g TestResourceGroup -p TestAppServicePlan -n AppGatewayWAFTestAppService

See Also
Troubleshoot backend health issues in Azure Application GatewayManage traffic to App Service - Azure Application GatewayMonitor the health of App Service instances - Azure App ServiceManage health probes for Azure Load Balancer - Azure portal

Step 2 - Create a public IP address and DNS A-Record for the app gateway to use

az network public-ip create --name MyAppGatewayPublicIp \

--resource-group TestResourceGroup \

--sku Standard --dns-name testappgatewaywafv2

Note: SKU WAF_v2 can only reference public ip with Standard SKU.

Step 3 - Create VNET with a designated app gateway subnet

az network vnet create --name TestVNET --resource-group TestResourceGroup \

--address-prefix 10.204.0.0/16 \

--subnet-name AppGatewaySubnet --subnet-prefix 10.204.250.0/24

Step 4 - Create an application gateway with sku WAF_v2

az network application-gateway create --name TestAppGateway \

--resource-group TestResourceGroup \

--vnet-name TestVNET --subnet AppGatewaySubnet \

--min-capacity 0 --max-capacity 2 \

--public-ip-address MyAppGatewayPublicIp \

--private-ip-address 10.204.250.6 \

--http-settings-protocol Http \

--servers appgatewaywaftestappservice.azurewebsites.net \

--sku WAF_v2

Note: Application Gateway with SKU tier WAF_v2 can only use PrivateIPAddress with IpAllocationMethod as Static.

Step 5 - Create a backend health probe

az network application-gateway probe create -g TestResourceGroup \

See Also
Azure Load Balancer health probes

--gateway-name TestAppGateway \

--name MyProbe --protocol http \

--host AppGatewayWAFTestAppService.azurewebsites.net --path /

Step 6 - Modify the app gateways http-settings

Show the name of the http-settings:

az network application-gateway http-settings list --gateway-name TestAppGateway --resource-group TestResourceGroup | grep name

"name": "appGatewayBackendHttpSettings",

az network application-gateway http-settings update \

--gateway-name TestAppGateway \

--name appGatewayBackendHttpSettings \

--port 80 --resource-group TestResourceGroup \

--enable-probe true --probe MyProbe \

--host-name-from-backend-pool true \

--protocol Http

Step 7 - Enable the WAF and set to detection mode

Find the most recent rule type and version (As of this writing its OWASP 3.1):

az network application-gateway waf-config list-rule-sets

"ruleSetType": "OWASP",

"ruleSetVersion": "3.1",

Then enable the WAF and set it to use the rule set listed above:

az network application-gateway waf-config set --enabled true \

--gateway-name TestAppGateway --resource-group TestResourceGroup \

--firewall-mode Detection \

--rule-set-type OWASP --rule-set-version 3.1

Step 8 - Using the portal verify the resources

We can see that there are now 5 resources in our new RG:

Create and deploy an Azure App Gateway with Web Application Firewall (WAF) using the Azure CLI (2)

Clicking on the Application Gateway, scroll down to "backend health" on the left hand Settings menu. We can see that the backend health pool is "Healthy".

Create and deploy an Azure App Gateway with Web Application Firewall (WAF) using the Azure CLI (3)

Selecting the "Web application firewall" from the Settings menu, we can see that the WAF is enabled and in Detection mode.

Note: We did not enable detection logs in this blog post.

Create and deploy an Azure App Gateway with Web Application Firewall (WAF) using the Azure CLI (4)

Using the DNS A-Record we created for our Application Gateway's public IP, we should be able to pull up the web page of our newly created web app.

Note: This post did not deal with https due to the complexity of adding certificates distracting from the overall purpose.

Create and deploy an Azure App Gateway with Web Application Firewall (WAF) using the Azure CLI (5)
Create and deploy an Azure App Gateway with Web Application Firewall (WAF) using the Azure CLI (2024)
Top Articles
Investment Return Calculator - Growth on Stocks, Index & Mutual Funds
How Sustainable Investing Can Create Long-Term Value
Ffxiv Palm Chippings
Gamevault Agent
News - Rachel Stevens at RachelStevens.com
Valley Fair Tickets Costco
Davante Adams Wikipedia
Hotels Near 500 W Sunshine St Springfield Mo 65807
Mohawkind Docagent
Emmalangevin Fanhouse Leak
123 Movies Black Adam
Mndot Road Closures
Erskine Plus Portal
Craigslist Heavy Equipment Knoxville Tennessee
Slag bij Plataeae tussen de Grieken en de Perzen
Oscar Nominated Brings Winning Profile to the Kentucky Turf Cup
Superhot Unblocked Games
My.doculivery.com/Crowncork
Love In The Air Ep 9 Eng Sub Dailymotion
7543460065
Committees Of Correspondence | Encyclopedia.com
Vanessawest.tripod.com Bundy
My Homework Lesson 11 Volume Of Composite Figures Answer Key
Huntersville Town Billboards
Mychart Anmed Health Login
Timeforce Choctaw
Ford F-350 Models Trim Levels and Packages
Sofia the baddie dog
City Of Durham Recycling Schedule
Sandals Travel Agent Login
Orange Park Dog Racing Results
DIY Building Plans for a Picnic Table
Otis Offender Michigan
Nicole Wallace Mother Of Pearl Necklace
The Pretty Kitty Tanglewood
Steven Batash Md Pc Photos
Tamil Play.com
Atlantic Broadband Email Login Pronto
Spinning Gold Showtimes Near Emagine Birch Run
Asian Grocery Williamsburg Va
Directions To 401 East Chestnut Street Louisville Kentucky
Academic important dates - University of Victoria
Gpa Calculator Georgia Tech
T&Cs | Hollywood Bowl
Immobiliare di Felice| Appartamento | Appartamento in vendita Porto San
Sdn Fertitta 2024
4k Movie, Streaming, Blu-Ray Disc, and Home Theater Product Reviews & News
St Vrain Schoology
Online College Scholarships | Strayer University
Unpleasant Realities Nyt
Tyrone Unblocked Games Bitlife
How To Connect To Rutgers Wifi
Latest Posts
Best Long Term Investments for 2022 in Canada | Wealthsimple
Chapter 6 - Investment decisions
Article information

Author: Jonah Leffler

Last Updated:

Views: 6052

Rating: 4.4 / 5 (65 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.