使用 Azure PowerShell 创建 Web 应用程序防火墙 (WAF) 自定义规则Create Web Application Firewall (WAF) custom rules with Azure PowerShell

此脚本将创建使用自定义规则的应用程序网关 Web 应用程序防火墙。This script creates an Application Gateway Web Application Firewall that uses custom rules. 如果请求标头包含用户代理 evilbot,该自定义规则会阻止流量。The custom rule blocks traffic if the request header contains User-Agent evilbot.

必备条件Prerequisites

Azure PowerShell 模块Azure PowerShell module

如果选择在本地安装并使用 Azure PowerShell,则此脚本需要安装 Azure PowerShell 模块 2.1.0 或更高版本。If you choose to install and use Azure PowerShell locally, this script requires the Azure PowerShell module version 2.1.0 or later.

  1. 要查找版本,请运行 Get-Module -ListAvailable AzTo find the version, run Get-Module -ListAvailable Az. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module.
  2. 若要创建与 Azure 的连接,请运行 Connect-AzAccount -Environment AzureChinaCloudTo create a connection with Azure, run Connect-AzAccount -Environment AzureChinaCloud.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

示例脚本Sample script

#Set up variables
$rgname = "CustomRulesTest"
$location = "China North 2"
$appgwName = "WAFCustomRules"

#Create a Resource Group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location

#Create a VNet
$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
  -AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)

#Create a Static Public VIP
$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
  -location $location -AllocationMethod Static -Sku Standard

#Create pool and frontend port
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
  -BackendIPAddresses testbackend1.chinanorth2.chinacloudapp.cn, testbackend2.chinanorth2.chinacloudapp.cn
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 80

#Create a listener, http setting, rule, and autoscale
$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Http `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01
$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting1" -Port 80 `
  -Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool
$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3
$sku = New-AzApplicationGatewaySku -Name WAF_v2 -Tier WAF_v2

#Create the custom rule and apply it to WAF policy
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector User-Agent
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "evilbot" -Transform Lowercase -NegationCondition $False  
$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
$policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafPolicy -ResourceGroup $rgname -Location $location -CustomRule $rule -PolicySetting $policy

#Create the Application Gateway
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname -Location $location -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 -FrontendPorts $fp01 -HttpListeners $listener01 -RequestRoutingRules $rule01 -Sku $sku -AutoscaleConfiguration $autoscaleConfig -FirewallPolicy $wafPolicy

清理部署Clean up deployment

运行以下命令来删除资源组、应用程序网关和所有相关资源。Run the following command to remove the resource group, application gateway, and all related resources.

Remove-AzResourceGroup -Name CustomRulesTest

脚本说明Script explanation

此脚本使用以下命令创建部署。This script uses the following commands to create the deployment. 表中的每一项均链接到特定于命令的文档。Each item in the table links to command specific documentation.

CommandCommand 说明Notes
New-AzResourceGroupNew-AzResourceGroup 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetworkSubnetConfig 创建子网配置。Creates the subnet configuration.
New-AzVirtualNetworkNew-AzVirtualNetwork 使用子网配置创建虚拟网络。Creates the virtual network using with the subnet configurations.
New-AzPublicIpAddressNew-AzPublicIpAddress 创建应用程序网关的公共 IP 地址。Creates the public IP address for the application gateway.
New-AzApplicationGatewayIPConfigurationNew-AzApplicationGatewayIPConfiguration 创建将子网与应用程序网关相关联的配置。Creates the configuration that associates a subnet with the application gateway.
New-AzApplicationGatewayFrontendIPConfigNew-AzApplicationGatewayFrontendIPConfig 创建为应用程序网关分配公共 IP 地址的配置。Creates the configuration that assigns a public IP address to the application gateway.
New-AzApplicationGatewayFrontendPortNew-AzApplicationGatewayFrontendPort 分配用于访问应用程序网关的端口。Assigns a port to be used to access the application gateway.
New-AzApplicationGatewayBackendAddressPoolNew-AzApplicationGatewayBackendAddressPool 创建应用程序网关的后端池。Creates a backend pool for an application gateway.
New-AzApplicationGatewayBackendHttpSettingsNew-AzApplicationGatewayBackendHttpSettings 配置后端池的设置。Configures settings for a backend pool.
New-AzApplicationGatewayHttpListenerNew-AzApplicationGatewayHttpListener 创建侦听器。Creates a listener.
New-AzApplicationGatewayRequestRoutingRuleNew-AzApplicationGatewayRequestRoutingRule 创建路由规则。Creates a routing rule.
New-AzApplicationGatewaySkuNew-AzApplicationGatewaySku 指定应用程序网关的层和容量。Specify the tier and capacity for an application gateway.
New-AzApplicationGatewayNew-AzApplicationGateway 创建应用程序网关。Create an application gateway.
Remove-AzResourceGroupRemove-AzResourceGroup 删除资源组及其中包含的所有资源。Removes a resource group and all resources contained within.
New-AzApplicationGatewayAutoscaleConfigurationNew-AzApplicationGatewayAutoscaleConfiguration 为应用程序网关创建自动缩放配置。Creates an autoscale configuration for the Application Gateway.
New-AzApplicationGatewayFirewallMatchVariableNew-AzApplicationGatewayFirewallMatchVariable 为防火墙条件创建匹配变量。Creates a match variable for firewall condition.
New-AzApplicationGatewayFirewallConditionNew-AzApplicationGatewayFirewallCondition 为自定义规则创建匹配条件。Creates a match condition for custom rule.
New-AzApplicationGatewayFirewallCustomRuleNew-AzApplicationGatewayFirewallCustomRule 为应用程序网关防火墙策略创建新的自定义规则。Creates a new custom rule for the application gateway firewall policy.
New-AzApplicationGatewayFirewallPolicyNew-AzApplicationGatewayFirewallPolicy 创建应用程序网关防火墙策略。Creates a application gateway firewall policy.
New-AzApplicationGatewayWebApplicationFirewallConfigurationNew-AzApplicationGatewayWebApplicationFirewallConfiguration 创建应用程序网关的 WAF 配置。Creates a WAF configuration for an application gateway.

后续步骤Next steps