教程:使用 Azure 门户创建具有 Web 应用程序防火墙的应用程序网关Tutorial: Create an application gateway with a web application firewall using the Azure portal

本教程演示如何使用 Azure 门户创建具有 Web 应用程序防火墙 (WAF) 的应用程序网关This tutorial shows you how to use the Azure portal to create an application gateway with a web application firewall (WAF). WAF 使用 OWASP 规则保护应用程序。The WAF uses OWASP rules to protect your application. 这些规则包括针对各种攻击(例如 SQL 注入、跨站点脚本攻击和会话劫持)的保护。These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks. 创建应用程序网关后,可对其进行测试,以确保正常工作。After creating the application gateway, you test it to make sure it's working correctly. 使用 Azure 应用程序网关可为端口分配侦听器、创建规则以及向后端池添加资源,以便将应用程序 Web 流量定向到特定资源。With Azure Application Gateway, you direct your application web traffic to specific resources by assigning listeners to ports, creating rules, and adding resources to a backend pool. 为简单起见,本教程使用了带有公共前端 IP 的简单设置、在此应用程序网关上托管单个站点的基本侦听器、用于后端池的两台虚拟机以及基本请求传递规则。For the sake of simplicity, this tutorial uses a simple setup with a public front-end IP, a basic listener to host a single site on this application gateway, two virtual machines used for the backend pool, and a basic request routing rule.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建启用 WAF 的应用程序网关Create an application gateway with WAF enabled
  • 创建用作后端服务器的虚拟机Create the virtual machines used as backend servers
  • 创建存储帐户和配置诊断Create a storage account and configure diagnostics
  • 测试应用程序网关Test the application gateway

Web 应用程序防火墙示例

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如果你愿意,可以使用 Azure PowerShellAzure CLI 完成本教程中的步骤。If you prefer, you can complete this tutorial using Azure PowerShell or Azure CLI.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

登录 AzureSign in to Azure

通过 https://portal.azure.cn 登录到 Azure 门户Sign in to the Azure portal at https://portal.azure.cn

创建应用程序网关Create an application gateway

Azure 需要一个虚拟网络才能在资源之间通信。For Azure to communicate between resources, it needs a virtual network. 可以创建新的虚拟网络,或者使用现有的虚拟网络。You can either create a new virtual network or use an existing one. 本示例将创建新的虚拟网络。In this example, you create a new virtual network. 可以在创建应用程序网关的同时创建虚拟网络。You can create a virtual network at the same time that you create the application gateway. 在独立的子网中创建应用程序网关实例。Application Gateway instances are created in separate subnets. 在本示例中创建两个子网:一个用于应用程序网关,另一个用于后端服务器。You create two subnets in this example: one for the application gateway, and another for the backend servers.

选择 Azure 门户左侧菜单上的“创建资源” 。Select Create a resource on the left menu of the Azure portal. 此时会显示“新建”窗口。 The New window appears.

选择“网络” ,然后在“特色”列表中选择“应用程序网关” 。Select Networking and then select Application Gateway in the Featured list.

“基本信息”选项卡Basics tab

  1. 在“基本信息”选项卡上,输入这些值作为以下应用程序网关设置 :On the Basics tab, enter these values for the following application gateway settings:

    • 资源组:选择 myResourceGroupAG 作为资源组。Resource group: Select myResourceGroupAG for the resource group. 如果该资源组不存在,请选择“新建”,创建一个新的 。If it doesn't exist, select Create new to create it.

    • 应用程序网关名称:输入 myAppGateway 作为应用程序网关的名称。Application gateway name: Enter myAppGateway for the name of the application gateway.

    • :选择 WAF V2Tier: select WAF V2

      新建应用程序网关:基础知识

  2. Azure 需要一个虚拟网络才能在创建的资源之间通信。For Azure to communicate between the resources that you create, it needs a virtual network. 可以创建新的虚拟网络,或者使用现有的虚拟网络。You can either create a new virtual network or use an existing one. 在此示例中,将在创建应用程序网关的同时创建新的虚拟网络。In this example, you'll create a new virtual network at the same time that you create the application gateway. 在独立的子网中创建应用程序网关实例。Application Gateway instances are created in separate subnets. 在本示例中创建两个子网:一个用于应用程序网关,另一个用于后端服务器。You create two subnets in this example: one for the application gateway, and another for the backend servers.

    在“配置虚拟网络”下,通过选择“新建”创建新的虚拟网络 。Under Configure virtual network, create a new virtual network by selecting Create new. 在打开的“创建虚拟网络”窗口中,输入以下值以创建虚拟网络和两个子网 :In the Create virtual network window that opens, enter the following values to create the virtual network and two subnets:

    • 名称:输入 myVNet 作为虚拟网络的名称。Name: Enter myVNet for the name of the virtual network.

    • 子网名称(应用程序网关子网):子网网关将显示名为“默认值”的子网 。Subnet name (Application Gateway subnet): The Subnets grid will show a subnet named Default. 将此子网的名称更改为 myAGSubnet 。Change the name of this subnet to myAGSubnet.
      应用程序网关子网只能包含应用程序网关。The application gateway subnet can contain only application gateways. 不允许其他资源。No other resources are allowed.

    • 子网名称(后端服务器子网):在子网网关的第二行中,在“子网名称”列输入“myBackendSubnet” 。Subnet name (backend server subnet): In the second row of the Subnets grid, enter myBackendSubnet in the Subnet name column.

    • 地址范围(后端服务器子网):在子网网格的第二行中,输入不会与 myAGSubnet 的地址范围重叠的地址范围 。Address range (backend server subnet): In the second row of the Subnets Grid, enter an address range that doesn't overlap with the address range of myAGSubnet. 例如,如果 myAGSubnet 的地址范围为 10.0.0.0/24,则为 myBackendSubnet 的地址范围输入 10.0.1.0/24 。For example, if the address range of myAGSubnet is 10.0.0.0/24, enter 10.0.1.0/24 for the address range of myBackendSubnet.

    选择“确定”以关闭“创建虚拟网络”窗口,并保存虚拟网络设置 。Select OK to close the Create virtual network window and save the virtual network settings.

    新建应用程序网关:虚拟网络

  3. 在“基本信息” 选项卡上,接受其他设置的默认值,然后选择“下一步: 前端”。On the Basics tab, accept the default values for the other settings and then select Next: Frontends.

“前端”选项卡Frontends tab

  1. 在“前端”选项卡上,验证“IP 地址类型”是否设置为“公共” 。On the Frontends tab, verify Frontend IP address type is set to Public.
    可根据用例将前端 IP 配置为公共或专用 IP。You can configure the Frontend IP to be Public or Private as per your use case. 本示例将选择公共前端 IP。In this example, you'll choose a Public Frontend IP.

    Note

    对于应用程序网关 v2 SKU,只能选择公共前端 IP 配置。For the Application Gateway v2 SKU, you can only choose Public frontend IP configuration. 目前尚未为此 v2 SKU 启用专用前端 IP 配置。Private frontend IP configuration is currently not enabled for this v2 SKU.

  2. 为“公共 IP 地址”选择“新建”,输入“myAGPublicIPAddress”作为公共 IP 地址名称,然后选择“确定” 。Choose Create new for the Public IP address and enter myAGPublicIPAddress for the public IP address name, and then select OK.

    新建应用程序网关:前端

  3. 在完成时选择“下一步:后端Select Next: Backends.

“后端”选项卡Backends tab

后端池用于将请求路由到为请求提供服务的后端服务器。The backend pool is used to route requests to the backend servers that serve the request. 后端池可以包含 NIC、虚拟机规模集、公共 IP、内部 IP、完全限定的域名 (FQDN) 和多租户后端(例如 Azure 应用服务)。Backend pools can be composed of NICs, virtual machine scale sets, public IPs, internal IPs, fully qualified domain names (FQDN), and multi-tenant back-ends like Azure App Service. 在此示例中,将使用应用程序网关创建空的后端池,然后将后端目标添加到后端池。In this example, you'll create an empty backend pool with your application gateway and then add backend targets to the backend pool.

  1. 在“后端”选项卡上,选择“+添加后端池” 。On the Backends tab, select +Add a backend pool.

  2. 在打开的“添加后端池”窗口中,输入以下值以创建空的后端池 :In the Add a backend pool window that opens, enter the following values to create an empty backend pool:

    • 名称:输入“myBackendPool”作为后端池的名称 。Name: Enter myBackendPool for the name of the backend pool.
    • 添加不包含目标的后端池:选择“是”以创建不包含目标的后端池 。Add backend pool without targets: Select Yes to create a backend pool with no targets. 你将在创建应用程序网关之后添加后端目标。You'll add backend targets after creating the application gateway.
  3. 在“添加后端池”窗口中,选择“添加”以保存后端池配置并返回到“后端”选项卡 。In the Add a backend pool window, select Add to save the backend pool configuration and return to the Backends tab.

    新建应用程序网关:后端

  4. 在“后端” 选项卡上,选择“下一步: 配置”。On the Backends tab, select Next: Configuration.

配置选项卡Configuration tab

在“配置”选项卡上,将连接使用传递规则创建的前端和后端池 。On the Configuration tab, you'll connect the frontend and backend pool you created using a routing rule.

  1. 选择“传递规则”列中的“添加规则” 。Select Add a rule in the Routing rules column.

  2. 在打开的“添加传递规则”窗口中,输入“myRoutingRule”作为规则名称 。In the Add a routing rule window that opens, enter myRoutingRule for the Rule name.

  3. 传递规则需要侦听器。A routing rule requires a listener. 在“添加传递规则”窗口中的“侦听器”选项卡上,输入侦听器的以下值 :On the Listener tab within the Add a routing rule window, enter the following values for the listener:

    • 侦听器名称:输入“myListener”作为侦听器名称 。Listener name: Enter myListener for the name of the listener.

    • 前端 IP:选择“公共”,以选择为前端创建的公共 IP 。Frontend IP: Select Public to choose the public IP you created for the frontend.

      接受“侦听器”选项卡上其他设置的默认值,然后选择“后端目标”选项卡以配置剩余的传递规则 。Accept the default values for the other settings on the Listener tab, then select the Backend targets tab to configure the rest of the routing rule.

    新建应用程序网关:侦听器

  4. 在“后端目标”选项卡上,为“后端目标”选择“myBackendPool” 。On the Backend targets tab, select myBackendPool for the Backend target.

  5. 对于“HTTP 设置”,选择“新建”以创建新的 HTTP 设置 。For the HTTP setting, select Create new to create a new HTTP setting. HTTP 设置将决定传递规则的行为。The HTTP setting will determine the behavior of the routing rule. 在打开的“添加 HTTP 设置”窗口中,为“HTTP 设置名称”输入“myHTTPSetting” 。In the Add an HTTP setting window that opens, enter myHTTPSetting for the HTTP setting name. 接受“添加 HTTP 设置”窗口中其他设置的默认值,然后选择“添加”以返回到“添加传递规则”窗口 。Accept the default values for the other settings in the Add an HTTP setting window, then select Add to return to the Add a routing rule window.

    新建应用程序网关:HTTP 设置

  6. 在“添加传递规则”窗口上,选择“添加”以保存传递规则并返回到“配置”选项卡 。On the Add a routing rule window, select Add to save the routing rule and return to the Configuration tab.

    新建应用程序网关:传递规则

  7. 在完成时选择“下一步: 标记”,然后选择“下一步: 查看 + 创建”。Select Next: Tags and then Next: Review + create.

“查看 + 创建”选项卡Review + create tab

复查“查看 + 创建”选项卡上的设置,然后选择“创建”以创建虚拟网络、公共 IP 地址和应用程序网关 。Review the settings on the Review + create tab, and then select Create to create the virtual network, the public IP address, and the application gateway. Azure 可能需要数分钟时间来创建应用程序网关。It may take several minutes for Azure to create the application gateway.

请等待部署成功完成,然后再前进到下一部分。Wait until the deployment finishes successfully before moving on to the next section.

添加后端目标Add backend targets

本示例将使用虚拟机作为目标后端。In this example, you'll use virtual machines as the target backend. 可以使用现有的虚拟机,或创建新的虚拟机。You can either use existing virtual machines or create new ones. 将创建两个虚拟机,供 Azure 用作应用程序网关的后端服务器。You'll create two virtual machines that Azure uses as backend servers for the application gateway.

为此,将要:To do this, you'll:

  1. 创建两个新的 VM(myVM 和 myVM2),用作后端服务器 。Create two new VMs, myVM and myVM2, to be used as backend servers.
  2. 在虚拟机上安装 IIS,以验证是否成功创建了应用程序网关。Install IIS on the virtual machines to verify that the application gateway was created successfully.
  3. 将后端服务器添加到后端池。Add the backend servers to the backend pool.

创建虚拟机Create a virtual machine

  1. 在 Azure 门户中,选择“创建资源”。 On the Azure portal, select Create a resource. 此时会显示“新建”窗口。 The New window appears.

  2. 在“常用”列表中选择“Windows Server 2016 Datacenter” 。Select Windows Server 2016 Datacenter in the Popular list. 此时会显示“创建虚拟机”页。 The Create a virtual machine page appears.
    应用程序网关可将流量路由到其后端池中使用的任何类型的虚拟机。Application Gateway can route traffic to any type of virtual machine used in its backend pool. 本示例使用 Windows Server 2016 Datacenter。In this example, you use a Windows Server 2016 Datacenter.

  3. 对于以下虚拟机设置,请在“基本信息”选项卡中输入相应值: Enter these values in the Basics tab for the following virtual machine settings:

    • 资源组:选择 myResourceGroupAG 作为资源组名称。Resource group: Select myResourceGroupAG for the resource group name.
    • 虚拟机名称:输入 myVM 作为虚拟机的名称。Virtual machine name: Enter myVM for the name of the virtual machine.
    • 用户名:输入 azureuser 作为管理员用户名。Username: Enter azureuser for the administrator user name.
    • 密码:输入 Azure123456!Password: Enter Azure123456! 作为管理员密码。for the administrator password.
  4. 接受其他默认值,然后选择“下一步:磁盘”Accept the other defaults and then select Next: Disks.

  5. 接受“磁盘”选项卡的默认值,然后选择“下一步:网络”Accept the Disks tab defaults and then select Next: Networking.

  6. 在“网络” 选项卡上,验证是否已选择 myVNet 作为虚拟网络,以及是否已将“子网” 设置为 myBackendSubnetOn the Networking tab, verify that myVNet is selected for the Virtual network and the Subnet is set to myBackendSubnet. 接受其他默认值,然后选择“下一步:管理”Accept the other defaults and then select Next: Management.
    应用程序网关可与其所在的虚拟网络外部的实例进行通信,但需要确保已建立 IP 连接。Application Gateway can communicate with instances outside of the virtual network that it is in, but you need to ensure there's IP connectivity.

  7. 在“管理” 选项卡上,将“启动诊断” 设置为“关闭”。 On the Management tab, set Boot diagnostics to Off. 接受其他默认值,然后选择“复查 + 创建”。 Accept the other defaults and then select Review + create.

  8. 在“复查 + 创建”选项卡上复查设置,更正任何验证错误,然后选择“创建”。 On the Review + create tab, review the settings, correct any validation errors, and then select Create.

  9. 等待虚拟机创建完成,然后再继续操作。Wait for the virtual machine creation to complete before continuing.

安装 IIS 用于测试Install IIS for testing

本示例在虚拟机上安装 IIS,只为验证 Azure 是否已成功创建应用程序网关。In this example, you install IIS on the virtual machines only to verify Azure created the application gateway successfully.

  1. 打开 powershell 并使用订阅登录。Open powershell and login with your subscription.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 运行以下命令以在虚拟机上安装 IIS:Run the following command to install IIS on the virtual machine:

    Set-AzVMExtension `
      -ResourceGroupName myResourceGroupAG `
      -ExtensionName IIS `
      -VMName myVM `
      -Publisher Microsoft.Compute `
      -ExtensionType CustomScriptExtension `
      -TypeHandlerVersion 1.4 `
      -SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"}' `
      -Location ChinaNorth
    
  3. 使用以前完成的步骤创建第二个虚拟机并安装 IIS。Create a second virtual machine and install IIS by using the steps that you previously completed. 使用 myVM2 作为虚拟机名称,以及作为 Set-AzVMExtension cmdlet 的 VMName 设置。Use myVM2 for the virtual machine name and for the VMName setting of the Set-AzVMExtension cmdlet.

将后端服务器添加到后端池Add backend servers to backend pool

  1. 选择“所有资源”,然后选择“myAppGateway”。 Select All resources, and then select myAppGateway.

  2. 从左侧菜单中选择“后端池”。 Select Backend pools from the left menu.

  3. 选择“myBackendPool”。 Select myBackendPool.

  4. 在“目标” 下,从下拉列表中选择“虚拟机”。 Under Targets, select Virtual machine from the drop-down list.

  5. 在“虚拟机”和“网络接口” 下,从下拉列表中选择 myVMmyVM2 虚拟机及其关联的网络接口。Under VIRTUAL MACHINE and NETWORK INTERFACES, select the myVM and myVM2 virtual machines and their associated network interfaces from the drop-down lists.

    添加后端服务器

  6. 选择“保存” 。Select Save.

  7. 等待部署完成之后再继续下一步。Wait for the deployment to complete before proceeding to the next step.

创建存储帐户和配置诊断Create a storage account and configure diagnostics

创建存储帐户Create a storage account

在本文中,应用程序网关使用存储帐户来存储用于检测和防范目的的数据。For this article, the application gateway uses a storage account to store data for detection and prevention purposes. 也可以使用 Azure Monitor 日志或事件中心来记录数据。You could also use Azure Monitor logs or Event Hub to record data.

  1. 选择 Azure 门户左上角的“创建资源” 。Select Create a resource on the upper left-hand corner of the Azure portal.
  2. 选择“存储”,然后选择“存储帐户” 。Select Storage, and then select Storage account.
  3. 对于“资源组” ,选择 myResourceGroupAG 作为资源组。For Resource group, select myResourceGroupAG for the resource group.
  4. 键入 myagstore1 作为存储帐户的名称。Type myagstore1 for the name of the storage account.
  5. 接受其他设置的默认值,然后选择“查看 + 创建” 。Accept the default values for the other settings and then select Review + Create.
  6. 检查设置,然后选择“创建”。 Review the settings, and then select Create.

配置诊断Configure diagnostics

配置诊断以将数据记录到 ApplicationGatewayAccessLog、ApplicationGatewayPerformanceLog 和 ApplicationGatewayFirewallLog 日志中。Configure diagnostics to record data into the ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, and ApplicationGatewayFirewallLog logs.

  1. 在左侧菜单中,选择“所有资源” ,然后选择“myAppGateway” 。In the left-hand menu, select All resources, and then select myAppGateway.

  2. 在“监视”下,选择“诊断设置” 。Under Monitoring, select Diagnostics settings.

  3. 选择“添加诊断设置” 。select Add diagnostics setting.

  4. 输入 myDiagnosticsSettings 作为诊断设置的名称。Enter myDiagnosticsSettings as the name for the diagnostics settings.

  5. 选择“存档到存储帐户” ,然后选择“配置” 以选择前面创建的 myagstore1 存储帐户,然后选择“确定” 。Select Archive to a storage account, and then select Configure to select the myagstore1 storage account that you previously created, and then select OK.

  6. 选择要收集和保留的应用程序网关日志。Select the application gateway logs to collect and keep.

  7. 选择“保存” 。Select Save.

    配置诊断

测试应用程序网关Test the application gateway

虽然不需 IIS 即可创建应用程序网关,但安装了它以验证 Azure 是否已成功创建应用程序网关。Although IIS isn't required to create the application gateway, you installed it to verify whether Azure successfully created the application gateway. 使用 IIS 测试应用程序网关:Use IIS to test the application gateway:

  1. 在“概览”页上找到应用程序网关的公共 IP 地址。 Find the public IP address for the application gateway on its Overview page.

    记下应用程序网关的公共 IP 地址

    或者,可以选择“所有资源”,在搜索框中输入“myAGPublicIPAddress” ,然后在搜索结果中将其选中 。Or, you can select All resources, enter myAGPublicIPAddress in the search box, and then select it in the search results. Azure 会在“概览”页上显示公共 IP 地址。 Azure displays the public IP address on the Overview page.

  2. 复制该公共 IP 地址,并将其粘贴到浏览器的地址栏。Copy the public IP address, and then paste it into the address bar of your browser.

  3. 检查响应。Check the response. 有效响应验证应用程序网关是否已成功创建,以及是否能够成功连接后端。A valid response verifies that the application gateway was successfully created and it can successfully connect with the backend.

    测试应用程序网关

清理资源Clean up resources

如果不再需要通过应用程序网关创建的资源,请删除资源组。When you no longer need the resources that you created with the application gateway, remove the resource group. 删除资源组时,也会删除应用程序网关和及其所有的相关资源。By removing the resource group, you also remove the application gateway and all its related resources.

若要删除资源组,请执行以下操作:To remove the resource group:

  1. 在 Azure 门户的左侧菜单上选择“资源组” 。On the left menu of the Azure portal, select Resource groups.
  2. 在“资源组”页的列表中搜索“myResourceGroupAG”,然后将其选中。 On the Resource groups page, search for myResourceGroupAG in the list, then select it.
  3. 在“资源组”页上,选择“删除资源组” 。On the Resource group page, select Delete resource group.
  4. 在“键入资源组名称”字段中输入“myResourceGroupAG”,然后选择“删除”。 Enter myResourceGroupAG for TYPE THE RESOURCE GROUP NAME and then select Delete.

后续步骤Next steps