使用 Azure PowerShell 创建 Web 应用程序防火墙 (WAF) 自定义规则Create Web Application Firewall (WAF) custom rules with Azure PowerShell
此脚本将创建使用自定义规则的应用程序网关 Web 应用程序防火墙。This script creates an Application Gateway Web Application Firewall that uses custom rules. 如果请求标头包含用户代理 evilbot,该自定义规则会阻止流量。The custom rule blocks traffic if the request header contains User-Agent evilbot.
必备条件Prerequisites
Azure PowerShell 模块Azure PowerShell module
如果选择在本地安装并使用 Azure PowerShell,则此脚本需要安装 Azure PowerShell 模块 2.1.0 或更高版本。If you choose to install and use Azure PowerShell locally, this script requires the Azure PowerShell module version 2.1.0 or later.
- 要查找版本,请运行
Get-Module -ListAvailable Az
。To find the version, runGet-Module -ListAvailable Az
. 如果需要升级,请参阅安装 Azure PowerShell 模块。If you need to upgrade, see Install Azure PowerShell module. - 若要创建与 Azure 的连接,请运行
Connect-AzAccount -Environment AzureChinaCloud
。To create a connection with Azure, runConnect-AzAccount -Environment AzureChinaCloud
.
如果没有 Azure 订阅,可在开始前创建一个试用帐户。If you don't have an Azure subscription, create a trial account before you begin.
示例脚本Sample script
#Set up variables
$rgname = "CustomRulesTest"
$location = "China North 2"
$appgwName = "WAFCustomRules"
#Create a Resource Group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
#Create a VNet
$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
-AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)
#Create a Static Public VIP
$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
-location $location -AllocationMethod Static -Sku Standard
#Create pool and frontend port
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet
$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
-BackendIPAddresses testbackend1.chinanorth2.chinacloudapp.cn, testbackend2.chinanorth2.chinacloudapp.cn
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 80
#Create a listener, http setting, rule, and autoscale
$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Http `
-FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01
$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting1" -Port 80 `
-Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
-BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool
$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3
$sku = New-AzApplicationGatewaySku -Name WAF_v2 -Tier WAF_v2
#Create the custom rule and apply it to WAF policy
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector User-Agent
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "evilbot" -Transform Lowercase -NegationCondition $False
$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
$policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafPolicy -ResourceGroup $rgname -Location $location -CustomRule $rule -PolicySetting $policy
#Create the Application Gateway
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname -Location $location -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 -FrontendPorts $fp01 -HttpListeners $listener01 -RequestRoutingRules $rule01 -Sku $sku -AutoscaleConfiguration $autoscaleConfig -FirewallPolicy $wafPolicy
清理部署Clean up deployment
运行以下命令来删除资源组、应用程序网关和所有相关资源。Run the following command to remove the resource group, application gateway, and all related resources.
Remove-AzResourceGroup -Name CustomRulesTest
脚本说明Script explanation
此脚本使用以下命令创建部署。This script uses the following commands to create the deployment. 表中的每一项均链接到特定于命令的文档。Each item in the table links to command specific documentation.
后续步骤Next steps
- 有关 WAF 自定义规则的详细信息,请参阅 Web 应用程序防火墙的自定义规则For more information about WAF custom rules, see Custom rules for Web Application Firewall
- 有关 Azure PowerShell 模块的详细信息,请参阅 Azure PowerShell 文档。For more information on the Azure PowerShell module, see Azure PowerShell documentation.
- 可以在 Azure 应用程序网关文档中找到其他应用程序网关 PowerShell 脚本示例。Additional application gateway PowerShell script samples can be found in the Azure Application Gateway documentation.