Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This script creates an Application Gateway Web Application Firewall that uses custom rules. The custom rule blocks traffic if the request header contains User-Agent evilbot.
If you choose to install and use Azure PowerShell locally, this script requires the Azure PowerShell module version 2.1.0 or later.
Get-Module -ListAvailable Az
. If you need to upgrade, see Install Azure PowerShell module.Connect-AzAccount
.If you don't have an Azure account, create a free account before you begin.
#Set up variables
$rgname = "CustomRulesTest"
$location = "East US"
$appgwName = "WAFCustomRules"
#Create a Resource Group
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
#Create a VNet
$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
-AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)
#Create a Static Public VIP
$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
-location $location -AllocationMethod Static -Sku Standard
#Create pool and frontend port
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet
$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
-BackendIPAddresses testbackend1.westus.cloudapp.azure.com, testbackend2.westus.cloudapp.azure.com
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 80
#Create a listener, http setting, rule, and autoscale
$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Http `
-FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01
$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting1" -Port 80 `
-Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
-BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool
$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3
$sku = New-AzApplicationGatewaySku -Name WAF_v2 -Tier WAF_v2
#Create the custom rule and apply it to WAF policy
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector User-Agent
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "evilbot" -Transform Lowercase -NegationCondition $False
$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
$policy = New-AzApplicationGatewayFirewallPolicySetting -Mode "Prevention"
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafPolicy -ResourceGroup $rgname -Location $location -CustomRule $rule -PolicySetting $policy
#Create the Application Gateway
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname -Location $location -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 -FrontendPorts $fp01 -HttpListeners $listener01 -RequestRoutingRules $rule01 -Sku $sku -AutoscaleConfiguration $autoscaleConfig -FirewallPolicy $wafPolicy
Run the following command to remove the resource group, application gateway, and all related resources.
Remove-AzResourceGroup -Name CustomRulesTest
This script uses the following commands to create the deployment. Each item in the table links to command specific documentation.
Command | Notes |
---|---|
New-AzResourceGroup | Creates a resource group in which all resources are stored. |
New-AzVirtualNetworkSubnetConfig | Creates the subnet configuration. |
New-AzVirtualNetwork | Creates the virtual network using with the subnet configurations. |
New-AzPublicIpAddress | Creates the public IP address for the application gateway. |
New-AzApplicationGatewayIPConfiguration | Creates the configuration that associates a subnet with the application gateway. |
New-AzApplicationGatewayFrontendIPConfig | Creates the configuration that assigns a public IP address to the application gateway. |
New-AzApplicationGatewayFrontendPort | Assigns a port to be used to access the application gateway. |
New-AzApplicationGatewayBackendAddressPool | Creates a backend pool for an application gateway. |
New-AzApplicationGatewayBackendHttpSettings | Configures settings for a backend pool. |
New-AzApplicationGatewayHttpListener | Creates a listener. |
New-AzApplicationGatewayRequestRoutingRule | Creates a routing rule. |
New-AzApplicationGatewaySku | Specify the tier and capacity for an application gateway. |
New-AzApplicationGateway | Create an application gateway. |
Remove-AzResourceGroup | Removes a resource group and all resources contained within. |
New-AzApplicationGatewayAutoscaleConfiguration | Creates an autoscale configuration for the Application Gateway. |
New-AzApplicationGatewayFirewallMatchVariable | Creates a match variable for firewall condition. |
New-AzApplicationGatewayFirewallCondition | Creates a match condition for custom rule. |
New-AzApplicationGatewayFirewallCustomRule | Creates a new custom rule for the application gateway firewall policy. |
New-AzApplicationGatewayFirewallPolicy | Creates a application gateway firewall policy. |
New-AzApplicationGatewayWebApplicationFirewallConfiguration | Creates a WAF configuration for an application gateway. |
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in