forked from erjosito/azcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathappgw.azcli
619 lines (545 loc) · 31.8 KB
/
appgw.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
# Variables
rg=appgw
location=eastus
appgw_pipname=appgwpip
dnsname=kuardgw
dnszone=cloudtrooper.net
dnsrg=dns
appgw_name=appgw
sku=Standard_v2
cookie=Disabled
backenddnsname=kuard
backendfqdn="$backenddnsname"."$dnszone"
vnet_name=appgw
vnet_prefix=10.0.0.0/16
appgw_subnet_name=AppGateway
appgw_subnet_prefix=10.0.0.0/24
aci_subnet_name=aci
aci_subnet_prefix=10.0.1.0/24
vm_subnet_name=vm
vm_subnet_prefix=10.0.2.0/24
vm_name=testvmlinux
vm_pip_name=testvmlinux-pip
vm_sku=Standard_B1s
vm_cloudinit_filename=/tmp/cloudinit-whoami.txt
vm_cloudinit_url=https://raw.githubusercontent.com/erjosito/azcli/master/cloudinit-whoami.txt
vm_rt_name=vm
vm_nsg_name=vm-nsg
appgw_nsg_name=appgw
appgw_use_nsg=no
log_storage_account=appgwlog$RANDOM
####################
# Helper functions #
####################
# Helper function to create A record in an existing zone
# Returns the FQDN
function create_dns(){
dns_name=$1
ip_address=$2
public_domain=cloudtrooper.net
public_dns_rg=$(az network dns zone list --query "[?name=='$public_domain'].resourceGroup" -o tsv)
if [[ -z "$public_dns_rg" ]]
then
echo "ERROR: I could not find the public DNS zone $public_domain in subscription $sub_name" 1>&2
else
# First, remove any existing A-record if already exists
a_record_set=$(az network dns record-set a show -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
if [[ -n "$a_record_set" ]]
then
echo "Deleting existing A record for ${dns_name}.${public_domain}..." 1>&2
az network dns record-set a delete -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -y -o none
else
# Delete any existing CNAME-record if already exists
cname_record_set=$(az network dns record-set cname show -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -o tsv --query id 2>/dev/null)
if [[ -n "$cname_record_set" ]]
then
echo "Deleting existing CNAME record for ${dns_name}.${public_domain}..." 1>&2
az network dns record-set cname delete -n "$dns_name" -z "$public_domain" -g "$public_dns_rg" -y -o none
else
echo "No conflicting A or CNAME records found in ${public_domain}" 1>&2
fi
fi
# Now create new A record
az network dns record-set a create -g $public_dns_rg -z cloudtrooper.net -n $dns_name -o none
az network dns record-set a add-record -g $public_dns_rg -z cloudtrooper.net -n $dns_name -a $ip_address -o none
fi
fqdn="${dns_name}.${public_domain}" && echo $fqdn
}
# Wait until a resource finishes creation
function wait_until_finished {
wait_interval=15
resource_id=$1
resource_name=$(echo $resource_id | cut -d/ -f 9)
echo "Waiting for resource $resource_name to finish provisioning..."
start_time=`date +%s`
state=$(az resource show --id $resource_id --query properties.provisioningState -o tsv)
until [[ "$state" == "Succeeded" ]] || [[ "$state" == "Failed" ]] || [[ -z "$state" ]]
do
sleep $wait_interval
state=$(az resource show --id $resource_id --query properties.provisioningState -o tsv)
done
if [[ -z "$state" ]]
then
echo "Something really bad happened..."
else
run_time=$(expr `date +%s` - $start_time)
((minutes=${run_time}/60))
((seconds=${run_time}%60))
echo "Resource $resource_name provisioning state is $state, wait time $minutes minutes and $seconds seconds"
fi
}
##########
# Main #
##########
# Create RG
az group create -n $rg -l $location
# Create vnet
az network vnet create -n $vnet_name -g $rg --address-prefix $vnet_prefix --subnet-name $appgw_subnet_name --subnet-prefix $appgw_subnet_prefix
# Create Log Analytics Workspace
logws_name=$(az monitor log-analytics workspace list -g $rg --query '[0].name' -o tsv)
if [[ -z "$logws_name" ]]
then
echo "Creating new Log Analytics workspace"
logws_name=log$RANDOM
az monitor log-analytics workspace create -n $logws_name -g $rg
else
echo "Log Analytics workspace $logws_name found"
fi
logws_id=$(az resource list -g $rg -n $logws_name --query '[].id' -o tsv)
logws_customerid=$(az monitor log-analytics workspace show -n $logws_name -g $rg --query customerId -o tsv)
# Optionally, create NSG and attach it to the subnet
if [[ "$appgw_use_nsg" == "yes" ]]
then
az network nsg create -n $appgw_nsg_name -g $rg
# Inbound
az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_GWM_In' -g $rg \
--description 'Required for Microsoft to manage the service' \
--priority 100 --access Allow --direction Inbound --protocol '*' \
--destination-port-ranges 65200-65535 --source-address-prefixes 'GatewayManager'
az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_ALB_In' -g $rg \
--description 'Required for ALB healthchecks to work' \
--priority 110 --access Allow --direction Inbound --protocol '*' \
--source-address-prefixes 'AzureLoadBalancer' --destination-port-ranges '*'
az network nsg rule create --nsg-name $appgw_nsg_name -n 'Deny_Internet_in' -g $rg \
--description 'Default deny' \
--priority 1000 --access Deny --direction Inbound --protocol '*' \
--source-address-prefixes 'Internet' --destination-port-ranges '*'
# Outbound
# az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_GWM_Out' -g $rg \
# --priority 100 --access Allow --direction Outbound --protocol '*' \
# --destination-address-prefixes 'GatewayManager' --destination-port-ranges '*'
# az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_AzMonitor_Out' -g $rg \
# --description 'Required for sending metrics/logs to AzMonitor' \
# --priority 110 --access Allow --direction Outbound --protocol '*' \
# --destination-address-prefixes 'AzureMonitor' --destination-port-ranges '*'
# az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_AKV_Out' -g $rg \
# --description 'Required for accessing AKV to get certificates' \
# --priority 120 --access Allow --direction Outbound --protocol '*' \
# --destination-address-prefixes 'AzureKeyVault' --destination-port-ranges '*'
# az network nsg rule create --nsg-name $appgw_nsg_name -n 'Allow_AAD_Out' -g $rg \
# --description 'Required for authenticating to AKV' \
# --priority 130 --access Allow --direction Outbound --protocol '*' \
# --destination-address-prefixes 'AzureActiveDirectory' --destination-port-ranges '*'
# az network nsg rule create --nsg-name $appgw_nsg_name -n 'Deny_Internet_Out' -g $rg \
# --description 'Default deny' \
# --priority 1000 --access Deny --direction Outbound --protocol '*' \
# --destination-address-prefixes 'Internet' --destination-port-ranges '*'
# Configure NSG flow logging
az storage account create -n $log_storage_account -g $rg --sku Standard_LRS --kind StorageV2
az network watcher flow-log create -l $location -n flowlog-$location -g $rg \
--nsg $appgw_nsg_name --storage-account $log_storage_account --log-version 2 --retention 7 \
--workspace $logws_id --interval 10 --traffic-analytics true
flowlog_id=$(az network nsg show -n $appgw_nsg_name -g $rg --query 'flowLogs[0].id' -o tsv)
az resource show --id $flowlog_id --query properties
# Attach NSG to subnet
az network vnet subnet update --vnet-name $vnet_name --name $appgw_subnet_name -g $rg --nsg $appgw_nsg_name
fi
##############
# Create ACI #
##############
# Create ACI instance in the vnet
echo "Creating ACI..."
az network vnet subnet create -g $rg --vnet-name $vnet_name -n $aci_subnet_name --address-prefix $aci_subnet_prefix
vnet_id=$(az network vnet show -n $vnet_name -g $rg --query id -o tsv)
aci_subnet_id=$(az network vnet subnet show -n $aci_subnet_name --vnet-name $vnet_name -g $rg --query id -o tsv)
az container create -n kuard -g $rg --image gcr.io/kuar-demo/kuard-amd64:1 --ip-address private --ports 8080 --vnet $vnet_id --subnet $aci_subnet_id
aci_ip=$(az container show -n kuard -g $rg --query 'ipAddress.ip' -o tsv)
echo "ACI created with IP $aci_ip"
###############
# Create VM #
###############
# Deploy a Linux VM with a troubleshooting web page
az network public-ip create -g $rg -n $vm_pip_name --sku standard --allocation-method static -l $location
az network nsg create -n $vm_nsg_name -g $rg
az network nsg rule create -n ssh --nsg-name $vm_nsg_name -g $rg --priority 500 --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -n web --nsg-name $vm_nsg_name -g $rg --priority 510 --destination-port-ranges 8080 --access Allow --protocol Tcp
az network nsg rule create -n web80 --nsg-name $vm_nsg_name -g $rg --priority 515 --destination-port-ranges 80 --access Allow --protocol Tcp
az network nsg rule create -n https --nsg-name $vm_nsg_name -g $rg --priority 520 --destination-port-ranges 443 --access Allow --protocol Tcp
#wget $vm_cloudinit_url -O $vm_cloudinit_filename
cat <<EOF > $vm_cloudinit_filename
#cloud-config
runcmd:
- apt update && apt install -y python3-pip
- pip3 install flask
- wget https://raw.githubusercontent.com/erjosito/azcli/master/myip.py -O /root/myip.py
- python3 /root/myip.py &
EOF
az vm create -n $vm_name -g $rg --image UbuntuLTS --generate-ssh-keys --size $vm_sku \
--vnet-name $vnet_name --subnet $vm_subnet_name --subnet-address-prefix $vm_subnet_prefix \
--nsg $vm_nsg_name --public-ip-address $vm_pip_name \
--custom-data $vm_cloudinit_filename
vm_private_ip=$(az vm show -g $rg -n $vm_name -d --query privateIps -o tsv) && echo $vm_private_ip
# Verify Linux VM deployed correctly and SSH is working fine
vm_pip_address=$(az network public-ip show -n $vm_pip_name -g $rg --query ipAddress -o tsv) && echo $vm_pip_address
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "ip a"
curl ${vm_pip_address}:8080/api/healthcheck
curl ${vm_pip_address}:8080/api/ip
# If required (for example because you restarted the VM), restart the python app
# ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo python3 /root/myip.py &"
# Create DNS record
vm_fqdn=$(create_dns "vm" "$vm_pip_address") && echo $vm_fqdn
curl "http://${vm_fqdn}:8080/api/healthcheck"
# Install nginx for SSL termination
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo apt install -y nginx"
nginx_config_file=/tmp/nginx.conf
cat <<EOF > $nginx_config_file
worker_processes auto;
events {
worker_connections 1024;
}
#pid /var/run/nginx.pid;
http {
server {
listen [::]:443 ssl;
listen 443 ssl;
listen 80;
server_name localhost;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout 24h;
keepalive_timeout 75; # up from 75 secs default
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
ssl_certificate /etc/nginx/ssl.crt;
ssl_certificate_key /etc/nginx/ssl.key;
location /api/ {
proxy_pass http://127.0.0.1:8080 ;
proxy_set_header Connection "";
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-For \$remote_addr;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
location / {
rewrite ^/(.*)\$ https://$vm_fqdn/api/\$1 redirect;
}
}
}
EOF
scp "$nginx_config_file" "${vm_pip_address}:~/"
# Put public certs in NGINX. Note: you need to have some public certs in advance
cert_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2021/cloudtrooper_chain.pem"
key_file="${HOME}/onedrive/Admin/Certs/cloudtrooper.net/2021/cloudtrooper.key"
scp "$cert_file" "${vm_pip_address}:~/ssl.crt"
scp "$key_file" "${vm_pip_address}:~/ssl.key"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo mv ./* /etc/nginx/"
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "sudo systemctl restart nginx"
# Verify nginx is working fine
ssh -n -o BatchMode=yes -o StrictHostKeyChecking=no $vm_pip_address "systemctl status nginx"
curl "https://${vm_fqdn}/api/healthcheck"
curl "http://${vm_fqdn}/api/healthcheck"
#################
# Create App GW #
#################
# Create PIP
allocation_method=Static
az network public-ip create -g $rg -n $appgw_pipname --sku Standard --allocation-method $allocation_method
#fqdn=$(az network public-ip show -g $rg -n $appgw_pipname --query dnsSettings.fqdn -o tsv)
# Create GW with sample config for port 80
az network application-gateway create -g $rg -n $appgw_name --sku $sku \
--min-capacity 1 --max-capacity 2 \
--frontend-port 80 --routing-rule-type basic \
--http-settings-port 8080 --http-settings-protocol Http \
--public-ip-address $appgw_pipname --vnet-name $vnet_name --subnet $appgw_subnet_name \
--servers "$vm_private_ip" \
--no-wait
# If using a DNS entry, create A record pointing to the PIP
appgw_pip=$(az network public-ip show -g $rg -n $appgw_pipname --query ipAddress -o tsv) && echo $appgw_pip
appgw_fqdn=$(create_dns "appgw" "$appgw_pip") && echo $appgw_fqdn
# Wait for GW to be created
appgw_id=$(az network application-gateway show -n $appgw_name -g $rg --query id -o tsv)
wait_until_finished $appgw_id
# Add diagnostic setting
appgw_id=$(az network application-gateway show -n $appgw_name -g $rg --query id -o tsv)
az monitor diagnostic-settings create -n mydiag --resource $appgw_id --workspace $logws_id \
--metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false }, "timeGrain": null}]' \
--logs '[{"category": "ApplicationGatewayAccessLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}},
{"category": "ApplicationGatewayPerformanceLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}},
{"category": "ApplicationGatewayFirewallLog", "enabled": true, "retentionPolicy": {"days": 0, "enabled": false}}]'
# Add healthcheck probe with custom path to existing settings
az network application-gateway probe create -g "$rg" --gateway-name "$appgw_name" \
--name testvmprobe8080 --protocol Http --host-name-from-http-settings --match-status-codes 200-399 --port 8080 --path /api/healthcheck
default_settings_name=$(az network application-gateway http-settings list -g "$rg" --gateway-name "$appgw_name" --query '[0].name' -o tsv) && echo $default_settings_name
az network application-gateway http-settings update -g "$rg" --gateway-name "$appgw_name" -n $default_settings_name \
--host-name ${vm_fqdn} --probe testvmprobe8080
# Test app
curl "http://${appgw_fqdn}/api/healthcheck"
###########
# ACI app #
###########
# Create backend
az network application-gateway address-pool create -n kuardpool -g $rg --gateway-name $appgw_name --servers $aci_ip
# Create probe and HTTP settings
az network application-gateway probe create -g $rg --gateway-name $appgw_name \
--name kuardprobe --protocol Http --host-name-from-http-settings \
--match-status-codes 200-399 --port 8080
az network application-gateway http-settings create -g $rg --gateway-name $appgw_name \
--name kuardsettings --protocol http --port 8080 --host-name-from-backend-pool \
--probe kuardprobe
# Create HTTP listener
frontend_name=$(az network application-gateway frontend-ip list -g $rg --gateway-name $appgw_name --query '[0].name' -o tsv)
az network application-gateway http-listener create -n kuardlistener -g $rg --gateway-name $appgw_name \
--frontend-port 80 --frontend-ip $frontend_name --host-name $dnsname.$dnszone
# Create rule
az network application-gateway rule create -g $rg --gateway-name $appgw_name \
-n kuardrule --http-listener kuardlistener --rule-type Basic \
--address-pool kuardpool --http-settings kuardsettings
#######
# SSL #
#######
# Keyvault
# keyvault_name=joseakv-airs
keyvault_name=erjositoKeyvault
# Option 1: cert already uploaded to AKV
cert_name=cloudtroopernet
# Option 2: upload a cert to AKV
cert_name=selfsigned01
az keyvault certificate create --vault-name $keyvault_name -n $cert_name -p "$(az keyvault certificate get-default-policy)"
# Create Identity to access the AKV
id_name=appgwid
az identity create -n $id_name -g $rg
id_principal_id=$(az identity show -n $id_name -g $rg --query principalId -o tsv)
# Grant permissions, depending on whether Azure RBAC is enabled or not
akv_azure_rbac=$(az keyvault show -n $keyvault_name --query properties.enableRbacAuthorization -o tsv)
if [[ "$akv_azure_rbac" == "true" ]]
then
keyvault_id=$(az keyvault show -n $keyvault_name --query id -o tsv)
az role assignment create --scope $keyvault_id --role "Key Vault Secrets User" --assignee $id_principal_id
else
az keyvault set-policy -n "$keyvault_name" --object-id "$id_principal_id" \
--secret-permissions get list \
--certificate-permissions get list
fi
id_id=$(az identity show -n $id_name -g $rg --query id -o tsv)
az network application-gateway identity assign --gateway-name $appgw_name -g $rg --identity $id_id
# Import cert from AKV
cert_sid=$(az keyvault certificate show --vault-name $keyvault_name -n $cert_name --query sid -o tsv) && echo $cert_sid
# az network application-gateway ssl-cert delete -n $cert_name -g $rg --gateway-name $appgw_name # In case the certificate already existed
az network application-gateway ssl-cert create -n $cert_name -g $rg --gateway-name $appgw_name --key-vault-secret-id $cert_sid
# Check certs in appgw
az network application-gateway ssl-cert list -g $rg --gateway-name $appgw_name -o table
# Create from file
# az network application-gateway ssl-cert create -g $rg --gateway-name $appgw_name -n starcloudtrooper \
# --cert-file ~/certs/cloudtrooper.net/star_cloudtrooper_net.p7b --cert-password Microsoft123!
# Configure AppGw for end-to-end SSL
# HTTP Settings and probe
echo "Creating probe and HTTP settings..."
az network application-gateway probe create -g "$rg" --gateway-name "$appgw_name" \
--name sslprobe --protocol Https --host-name-from-http-settings --match-status-codes 200-399 --port 443 --path /api/healthcheck
az network application-gateway http-settings create -g "$rg" --gateway-name "$appgw_name" --port 443 \
--name sslsettings --protocol https --host-name ${vm_fqdn} --probe sslprobe
# Create rule (using url-path-maps to make it more exciting)
default_address_pool_name=$(az network application-gateway address-pool list -g $rg --gateway-name $appgw_name -o tsv --query '[0].name') && echo $default_address_pool_name
default_frontend_name=$(az network application-gateway frontend-ip list -g "$rg" --gateway-name "$appgw_name" --query '[0].name' -o tsv) && echo $default_frontend_name
az network application-gateway frontend-port create -n sslport -g "$rg" --gateway-name "$appgw_name" --port 443
az network application-gateway http-listener create -n ssllistener -g "$rg" --gateway-name "$appgw_name" \
--frontend-port sslport --frontend-ip "$default_frontend_name" --ssl-cert "$cert_name"
az network application-gateway url-path-map create --gateway-name $appgw_name -g $rg -n sslpathmap \
--rule-name rule01 --paths '/api/*' --address-pool $default_address_pool_name --http-settings sslsettings \
--default-address-pool $default_address_pool_name --default-http-settings sslsettings
az network application-gateway rule create -g "$rg" --gateway-name "$appgw_name" -n sslrule \
--url-path-map sslpathmap --rule-type PathBasedRouting \
--http-listener ssllistener --address-pool $default_address_pool_name --http-settings sslsettings
# Verify
curl -vvl "https://${appgw_fqdn}/api/healthcheck"
##################
# Header rewrite #
##################
ruleset_name=ruleset01
rule_name=locationrewrite
az network application-gateway rewrite-rule set create --gateway-name $appgw_name -g $rg -n $ruleset_name
az network application-gateway rewrite-rule create --gateway-name $appgw_name -g $rg -n $rule_name --rule-set-name $ruleset_name \
--response-headers 'Location=/api/{http_resp_Location_2}'
az network application-gateway rewrite-rule condition create --gateway-name $appgw_name -g $rg --rule-name $rule_name --rule-set-name $ruleset_name \
--ignore-case true --negate false --pattern '(https?):\/\/vm\.cloudtrooper\.net\/api\/(.*)$' --variable "http_resp_Location"
# Update HTTP LB rule
default_rule_name=$(az network application-gateway rule list -g $rg --gateway-name $appgw_name --query '[0].name' -o tsv) && echo $default_rule_name # should be something like "rule1"
az network application-gateway rule update -g "$rg" --gateway-name "$appgw_name" -n $default_rule_name --rewrite-rule-set $ruleset_name
# Update SSL LB rule - This only works for non-path-based rules!!!
# az network application-gateway rule update -g "$rg" --gateway-name "$appgw_name" -n sslrule --rewrite-rule-set $ruleset_name
# If using PathBased rules, the urlPathMap needs to be updated too
# Either the default one for the whole path map:
az network application-gateway url-path-map update --gateway-name $appgw_name -g $rg -n sslpathmap --default-rewrite-rule-set $ruleset_name
# Or the individual rule:
az network application-gateway url-path-map rule create --gateway-name $appgw_name -g $rg --path-map-name sslpathmap \
--name rule01 --paths '/api/*' --address-pool $default_address_pool_name --http-settings sslsettings --rewrite-rule-set $ruleset_name
# Test
curl -i "https://${appgw_fqdn}/healthcheck"
##############
# WAF #
##############
# Arguments
# --match-variables [Required] : Space-separated list of variables to use when matching. Variable
# values: RemoteAddr, RequestMethod, QueryString, PostArgs,
# RequestUri, RequestHeaders, RequestBody, RequestCookies.
# --operator [Required] : Operator for matching. Allowed values: BeginsWith, Contains,
# EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual,
# IPMatch, LessThan, LessThanOrEqual, Regex.
# --values [Required] : Space-separated list of values to match.
# --negate : Match the negative of the condition. Allowed values: false,
# true.
# --transforms : Space-separated list of transforms to apply when matching.
# Allowed values: HtmlEntityDecode, Lowercase, RemoveNulls, Trim,
# UrlDecode, UrlEncode.
# Create policy
waf_policy_name=wafpolicy
az network application-gateway waf-policy create -n $waf_policy_name -g $rg
# Blocking an IP
waf_rule_name=blockip
myip=$(curl -s4 ifconfig.co)
az network application-gateway waf-policy custom-rule create -n $waf_rule_name -g $rg --policy-name $waf_policy_name \
--action Block --priority 10 --rule-type MatchRule
az network application-gateway waf-policy custom-rule match-condition add -n $waf_rule_name --policy-name $waf_policy_name -g $rg \
--negate false --match-variables RemoteAddr --values $myip --operator IPMatch
# az network application-gateway waf-policy custom-rule delete -n $waf_rule_name -g $rg --policy-name $waf_policy_name
# Blocking a certain UserAgent (Header)
# No support for "selector" (to specify which header) in CLI!!!!!
waf_rule_name=blockuseragent
az network application-gateway waf-policy custom-rule create -n $waf_rule_name -g $rg --policy-name $waf_policy_name \
--action Block --priority 20 --rule-type MatchRule
az network application-gateway waf-policy custom-rule match-condition add -n $waf_rule_name --policy-name $waf_policy_name -g $rg \
--negate false --match-variables RequestHeaders --values "evil" --operator Equal --transforms Lowercase
# az network application-gateway waf-policy custom-rule delete -n $waf_rule_name -g $rg --policy-name $waf_policy_name
# Allowing certain countries (using negate true!)
waf_rule_name=allowcountry
az network application-gateway waf-policy custom-rule create -n $waf_rule_name -g $rg --policy-name $waf_policy_name \
--action Block --priority 30 --rule-type MatchRule
az network application-gateway waf-policy custom-rule match-condition add -n $waf_rule_name --policy-name $waf_policy_name -g $rg \
--negate true --match-variables RemoteAddr --values "de" --operator GeoMatch --transforms Lowercase
# Apply policy to url path map
waf_policy_id=$(az network application-gateway waf-policy show -n $waf_policy_name -g $rg --query id -o tsv) && echo $waf_policy_id
az network application-gateway url-path-map rule create --gateway-name $appgw_name -g $rg --path-map-name sslpathmap \
--name rule01 --paths '/api/*' --address-pool $default_address_pool_name --http-settings sslsettings --rewrite-rule-set $ruleset_name --waf-policy $waf_policy_id
# Apply policy to the listener
az network application-gateway http-listener update -n ssllistener -g $rg --gateway-name $appgw_name --waf-policy $waf_policy_id
# Apply policy to full AppGW (NOT WORKING!)
az network application-gateway waf-policy update -n $waf_policy_name -g $rg --add applicationGateways id=$appgw_id
# Test
curl -A "evil" "https://appgw.cloudtrooper.net/api/healthcheck"
###############
# Redirection #
###############
# Configure redirection from HTTP:8080 to HTTPS:443
az network application-gateway frontend-port create -n port8080 -g "$rg" --gateway-name "$appgw_name" --port 8080
az network application-gateway http-listener create -n listener8080 -g $rg --gateway-name $appgw_name \
--frontend-port port8080 --frontend-ip $default_frontend_name --host-name "$appgw_fqdn"
az network application-gateway redirect-config create --gateway-name $appgw_name -g $rg -n 8080to443 --type Permanent \
--include-path true --include-query-string true --target-listener ssllistener
az network application-gateway rule create --gateway-name $appgw_name -g $rg -n redirect8080 \
--http-listener listener8080 --rule-type Basic --redirect-config 8080to443
# Test
curl -vvl "http://${appgw_fqdn}:8080/api/healthcheck"
####################
# Update AppGW SKU #
####################
# Upgrade / Downgrade
az network application-gateway update -g $rg -n $appgw_name --sku WAF_v2
az network application-gateway update -g $rg -n $appgw_name --sku Standard_v2 # Downgrade not supported??
ruleset_version=$(az network application-gateway waf-config list-rule-sets --query '[0].ruleSetVersion' -o tsv) && echo $ruleset_version
az network application-gateway waf-config set -g $rg --gateway-name $appgw_name --enabled true --firewall-mode Prevention --rule-set-version $ruleset_version
########################
# Query AzMonitor logs #
########################
# AppGW Log Categories
query='AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| distinct Category '
az monitor log-analytics query -w $logws_customerid --analytics-query $query -o tsv
# AppGW Access Logs
myip=$(curl -s4 ifconfig.co)
query_acc='AzureDiagnostics
| where TimeGenerated >= ago(5m)
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayAccessLog"
| project timeStamp_t, clientIP_s, clientPort_d, host_s, originalHost_s, originalRequestUriWithArgs_s, serverRouted_s, httpMethod_s, httpStatus_d, ruleName_s, transactionId_g
| where clientIP_s == "'$myip'"
| take 20'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_acc -o tsv
# AppGW WAF Logs
query_waf='AzureDiagnostics
| where TimeGenerated >= ago(5m)
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayFirewallLog"
| project timeStamp_t, ruleId_s, ruleSetType_s, clientIp_s, hostname_s, transactionId_g, Message
| take 20'
az monitor log-analytics query -w $logws_customerid --analytics-query $query_waf -o tsv
###############
# Diagnostics #
###############
# Troubleshoot
az network application-gateway list -g $rg -o table
az network application-gateway http-listener list -g $rg --gateway-name $appgw_name -o table
az network application-gateway frontend-ip list -g $rg --gateway-name $appgw_name -o table
az network application-gateway probe list -g $rg --gateway-name $appgw_name -o table
az network application-gateway address-pool list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rule list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n rule1
az network application-gateway rule list -g $rg --gateway-name $appgw_name -o table
default_rule_name=$(az network application-gateway rule list -g $rg --gateway-name $appgw_name --query '[0].name' -o tsv) && echo $default_rule_name
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n $default_rule_name
az network application-gateway rule show -g $rg --gateway-name $appgw_name -n sslrule
az network application-gateway url-path-map list -g $rg --gateway-name $appgw_name -o table
az network application-gateway http-settings list -g $rg --gateway-name $appgw_name -o table
az network application-gateway show-backend-health -g $rg --gateway-name $appgw_name -o table
# Rewrite
az network application-gateway rewrite-rule list-request-headers -o table
az network application-gateway rewrite-rule list-response-headers -o table
az network application-gateway rewrite-rule set list -g $rg --gateway-name $appgw_name -o table
az network application-gateway rewrite-rule list -g $rg --gateway-name $appgw_name --rule-set-name $ruleset_name -o table
az network application-gateway rewrite-rule condition list -g $rg --gateway-name $appgw_name --rule-set-name $ruleset_name --rule-name $rule_name -o table
# WAF
az network application-gateway waf-config list-rule-sets -o table
az network application-gateway waf-config show --gateway-name $appgw_name -g $rg
az network application-gateway waf-policy policy-setting list --policy-name $waf_policy_name -g $rg
az network application-gateway waf-policy custom-rule list --policy-name $waf_policy_name -g $rg -o table
az network application-gateway waf-policy custom-rule match-condition list --policy-name $waf_policy_name -g $rg -n blockip
az network application-gateway waf-policy custom-rule match-condition list --policy-name $waf_policy_name -g $rg -n blockuseragent
az network application-gateway waf-policy custom-rule match-condition list --policy-name $waf_policy_name -g $rg -n allowcountry
################
# Stop/Start #
################
# Stop
az network application-gateway stop -g $rg -n $appgw_name
az vm deallocate -g $rg -n $vm_name
# Start
az network application-gateway start -g $rg -n $appgw_name
az vm start -g $rg -n $vm_name
# Update DNS?
vm_pip_address=$(az network public-ip show -n $vm_pip_name -g $rg --query ipAddress -o tsv) && echo $vm_pip_address
vm_fqdn=$(create_dns "vm" "$vm_pip_address") && echo $vm_fqdn
appgw_pip=$(az network public-ip show -g $rg -n $appgw_pipname --query ipAddress -o tsv) && echo $appgw_pip
appgw_fqdn=$(create_dns "appgw" "$appgw_pip") && echo $appgw_fqdn
# curl cheatsheet
# url="https://${appgw_fqdn}/api/healthcheck"
# curl -i $url # Show response headers
# curl -vvl $url # Show certificate data
# curl -L $url # Follow redirections
# curl --resolve appgw.cloudtrooper.net:443:1.2.3.4 # Follow redirections
#############
# Cleanup #
#############
# az group delete -n $rg -y --no-wait