使用 Azure PowerShell 限制 Web 流量Restrict web traffic using Azure PowerShell

此脚本创建具有 Web 应用程序防火墙且使用虚拟机规模集作为后端服务器的应用程序网关。This script creates an application gateway with a web application firewall that uses a virtual machine scale set for backend servers. Web 应用程序防火墙基于 OWASP 规则限制 Web 流量。The web application firewall restricts web traffic based on OWASP rules. 在运行脚本后,可以使用应用程序网关的公用 IP 地址测试该网关。After running the script, you can test the application gateway using its public IP address.

本示例需要 Azure PowerShell。This sample requires Azure PowerShell. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要进行安装或升级,请参阅安装 Azure PowerShell 模块If you need to install or upgrade, see Install Azure PowerShell module.

运行 Connect-AzAccount -Environment AzureChinaCloud,创建与 Azure 的连接。Run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

示例脚本Sample script

# Create a resource group
New-AzureRmResourceGroup -Name myResourceGroupAG -Location chinanorth

# Create network resources
$backendSubnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
  -Name myBackendSubnet `
  -AddressPrefix 10.0.1.0/24
$agSubnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
  -Name myAGSubnet `
  -AddressPrefix 10.0.2.0/24
$vnet = New-AzureRmVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Location chinanorth `
  -Name myVNet `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $backendSubnetConfig, $agSubnetConfig
$pip = New-AzureRmPublicIpAddress `
  -ResourceGroupName myResourceGroupAG `
  -Location chinanorth `
  -Name myAGPublicIPAddress `
  -AllocationMethod Dynamic

# Create IP configurations and frontend port
$vnet = Get-AzureRmVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Name myVNet
$subnet=$vnet.Subnets[0]
$gipconfig = New-AzureRmApplicationGatewayIPConfiguration `
  -Name myAGIPConfig `
  -Subnet $subnet
$fipconfig = New-AzureRmApplicationGatewayFrontendIPConfig `
  -Name myAGFrontendIPConfig `
  -PublicIPAddress $pip
$frontendport = New-AzureRmApplicationGatewayFrontendPort `
  -Name myFrontendPort `
  -Port 80

# Create the backend pool and settings
$defaultPool = New-AzureRmApplicationGatewayBackendAddressPool `
  -Name appGatewayBackendPool 
$poolSettings = New-AzureRmApplicationGatewayBackendHttpSettings `
  -Name myPoolSettings `
  -Port 80 `
  -Protocol Http `
  -CookieBasedAffinity Enabled `
  -RequestTimeout 120

# Create the default listener and rule
$defaultlistener = New-AzureRmApplicationGatewayHttpListener `
  -Name mydefaultListener `
  -Protocol Http `
  -FrontendIPConfiguration $fipconfig `
  -FrontendPort $frontendport
$frontendRule = New-AzureRmApplicationGatewayRequestRoutingRule `
  -Name rule1 `
  -RuleType Basic `
  -HttpListener $defaultlistener `
  -BackendAddressPool $defaultPool `
  -BackendHttpSettings $poolSettings

# Create the application gateway
$sku = New-AzureRmApplicationGatewaySku `
  -Name WAF_Medium `
  -Tier WAF `
  -Capacity 2
$wafConfig = New-AzureRmApplicationGatewayWebApplicationFirewallConfiguration `
  -Enabled $true `
  -FirewallMode "Detection"
$appgw = New-AzureRmApplicationGateway `
  -Name myAppGateway `
  -ResourceGroupName myResourceGroupAG `
  -Location chinanorth `
  -BackendAddressPools $defaultPool `
  -BackendHttpSettingsCollection $poolSettings `
  -FrontendIpConfigurations $fipconfig `
  -GatewayIpConfigurations $gipconfig `
  -FrontendPorts $frontendport `
  -HttpListeners $defaultlistener `
  -RequestRoutingRules $frontendRule `
  -Sku $sku `
  -WebApplicationFirewallConfig $wafConfig

# Create a virtual machine scale set
$vnet = Get-AzureRmVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Name myVNet
$appgw = Get-AzureRmApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway
$backendPool = Get-AzureRmApplicationGatewayBackendAddressPool `
  -Name appGatewayBackendPool `
  -ApplicationGateway $appgw
$ipConfig = New-AzureRmVmssIpConfig `
  -Name myVmssIPConfig `
  -SubnetId $vnet.Subnets[1].Id `
  -ApplicationGatewayBackendAddressPoolsId $backendPool.Id
$vmssConfig = New-AzureRmVmssConfig `
  -Location chinanorth `
  -SkuCapacity 2 `
  -SkuName Standard_DS2 `
  -UpgradePolicyMode Automatic
Set-AzureRmVmssStorageProfile $vmssConfig `
  -OsDiskCreateOption "FromImage" `
  -ImageReferencePublisher MicrosoftWindowsServer `
  -ImageReferenceOffer WindowsServer `
  -ImageReferenceSku 2016-Datacenter `
  -ImageReferenceVersion latest
Set-AzureRmVmssOsProfile $vmssConfig `
  -AdminUsername azureuser `
  -AdminPassword "Azure123456!" `
  -ComputerNamePrefix myvmss
Add-AzureRmVmssNetworkInterfaceConfiguration `
  -VirtualMachineScaleSet $vmssConfig `
  -Name myVmssNetConfig `
  -Primary $true `
  -IPConfiguration $ipConfig
New-AzureRmVmss `
  -ResourceGroupName myResourceGroupAG `
  -Name myvmss `
  -VirtualMachineScaleSet $vmssConfig

# Install IIS
$publicSettings = @{ "fileUris" = (,"https://raw.githubusercontent.com/davidmu1/samplescripts/master/appgatewayurl.ps1"); 
  "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File appgatewayurl.ps1" }
$vmss = Get-AzureRmVmss -ResourceGroupName myResourceGroupAG -VMScaleSetName myvmss
Add-AzureRmVmssExtension -VirtualMachineScaleSet $vmss `
  -Name "customScript" `
  -Publisher "Microsoft.Compute" `
  -Type "CustomScriptExtension" `
  -TypeHandlerVersion 1.8 `
  -Setting $publicSettings
Update-AzureRmVmss `
  -ResourceGroupName myResourceGroupAG `
  -Name myvmss `
  -VirtualMachineScaleSet $vmss

# Create a storage account
$storageAccount = New-AzureRmStorageAccount `
  -ResourceGroupName myResourceGroupAG `
  -Name myagstore1 `
  -Location chinanorth `
  -SkuName "Standard_LRS"

# Configure diagnostics
$appgw = Get-AzureRmApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway
$store = Get-AzureRmStorageAccount `
  -ResourceGroupName myResourceGroupAG `
  -Name myagstore1
Set-AzureRmDiagnosticSetting `
  -ResourceId $appgw.Id `
  -StorageAccountId $store.Id `
  -Categories ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog `
  -Enabled $true `
  -RetentionEnabled $true `
  -RetentionInDays 30

# Get the IP address
Get-AzureRmPublicIPAddress -ResourceGroupName myResourceGroupAG -Name myAGPublicIPAddress

清理部署Clean up deployment

运行以下命令来删除资源组、应用程序网关和所有相关资源。Run the following command to remove the resource group, application gateway, and all related resources.

Remove-AzResourceGroup -Name myResourceGroupAG

脚本说明Script explanation

此脚本使用以下命令创建部署。This script uses the following commands to create the deployment. 表中的每一项均链接到特定于命令的文档。Each item in the table links to command specific documentation.

命令Command 注释Notes
New-AzResourceGroupNew-AzResourceGroup 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetworkSubnetConfig 创建子网配置。Creates the subnet configuration.
New-AzVirtualNetworkNew-AzVirtualNetwork 使用子网配置创建虚拟网络。Creates the virtual network using with the subnet configurations.
New-AzPublicIpAddressNew-AzPublicIpAddress 创建应用程序网关的公用 IP 地址。Creates the public IP address for the application gateway.
New-AzApplicationGatewayIPConfigurationNew-AzApplicationGatewayIPConfiguration 创建将子网与应用程序网关相关联的配置。Creates the configuration that associates a subnet with the application gateway.
New-AzApplicationGatewayFrontendIPConfigNew-AzApplicationGatewayFrontendIPConfig 创建为应用程序网关分配公用 IP 地址的配置。Creates the configuration that assigns a public IP address to the application gateway.
New-AzApplicationGatewayFrontendPortNew-AzApplicationGatewayFrontendPort 分配用于访问应用程序网关的端口。Assigns a port to be used to access the application gateway.
New-AzApplicationGatewayBackendAddressPoolNew-AzApplicationGatewayBackendAddressPool 创建应用程序网关的后端池。Creates a backend pool for an application gateway.
New-AzApplicationGatewayBackendHttpSettingsNew-AzApplicationGatewayBackendHttpSettings 配置后端池的设置。Configures settings for a backend pool.
New-AzApplicationGatewayHttpListenerNew-AzApplicationGatewayHttpListener 创建侦听器。Creates a listener.
New-AzApplicationGatewayRequestRoutingRuleNew-AzApplicationGatewayRequestRoutingRule 创建路由规则。Creates a routing rule.
New-AzApplicationGatewaySkuNew-AzApplicationGatewaySku 指定应用程序网关的层和容量。Specify the tier and capacity for an application gateway.
New-AzApplicationGatewayWebApplicationFirewallConfigurationNew-AzApplicationGatewayWebApplicationFirewallConfiguration 创建 Web 应用程序防火墙配置。Creates the web application firewall configuration.
New-AzApplicationGatewayNew-AzApplicationGateway 创建应用程序网关。Create an application gateway.
Set-AzVmssStorageProfileSet-AzVmssStorageProfile 创建规模集的存储配置文件。Create a storage profile for the scale set.
Set-AzVmssOsProfileSet-AzVmssOsProfile 定义规模集的操作系统。Define the operating system for the scale set.
Add-AzVmssNetworkInterfaceConfigurationAdd-AzVmssNetworkInterfaceConfiguration 定义规模集的网络接口。Define the network interface for the scale set.
New-AzVmssNew-AzVmss 创建虚拟机规模集。Create a virtual machine scale set.
New-AzStorageAccountNew-AzStorageAccount 创建存储帐户。Creates a storage account.
Set-AzDiagnosticSettingSet-AzDiagnosticSetting 配置诊断以记录数据。Configures diagnostics to record data.
Get-AzPublicIPAddressGet-AzPublicIPAddress 获取应用程序网关的公用 IP 地址。Gets the public IP address of an application gateway.
Remove-AzResourceGroupRemove-AzResourceGroup 删除资源组及其中包含的所有资源。Removes a resource group and all resources contained within.

后续步骤Next steps

有关 Azure PowerShell 模块的详细信息,请参阅 Azure PowerShell 文档For more information on the Azure PowerShell module, see Azure PowerShell documentation.

可以在 Azure 应用程序网关文档中找到其他应用程序网关 PowerShell 脚本示例。Additional application gateway PowerShell script samples can be found in the Azure Application Gateway documentation.