使用 Azure CLI 启用 Web 应用程序防火墙Enable web application firewall using the Azure CLI

应用程序网关上使用 Web 应用程序防火墙 (WAF) 限制流量。You can restrict traffic on an application gateway with a web application firewall (WAF). WAF 使用 OWASP 规则保护应用程序。The WAF uses OWASP rules to protect your application. 这些规则包括针对各种攻击(例如 SQL 注入、跨站点脚本攻击和会话劫持)的保护。These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.

在本文中,学习如何:In this article, you learn how to:

  • 设置网络Set up the network
  • 创建启用 WAF 的应用程序网关Create an application gateway with WAF enabled
  • 创建虚拟机规模集Create a virtual machine scale set
  • 创建存储帐户和配置诊断Create a storage account and configure diagnostics

Web 应用程序防火墙示例

如果需要,可以使用 Azure PowerShell 完成此过程。If you prefer, you can complete this procedure using Azure PowerShell.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

如果选择在本地安装并使用 CLI,本文要求运行 Azure CLI 2.0.4 或更高版本。If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0.4 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建资源组Create a resource group

资源组是在其中部署和管理 Azure 资源的逻辑容器。A resource group is a logical container into which Azure resources are deployed and managed. 使用 az group create 创建名为 myResourceGroupAG 的 Azure 资源组。Create an Azure resource group named myResourceGroupAG with az group create.

az group create --name myResourceGroupAG --location chinanorth

创建网络资源Create network resources

虚拟网络和子网用于提供与应用程序网关及其关联资源的网络连接。The virtual network and subnets are used to provide network connectivity to the application gateway and its associated resources. 分别使用 az network vnet createaz network vnet subnet create 创建名为 myVNet 的虚拟网络和名为 myAGSubnet 的子网。Create the virtual network named myVNet and subnet named myAGSubnet with az network vnet create and az network vnet subnet create. 使用 az network public-ip create 创建名为 myAGPublicIPAddress 的公共 IP 地址。Create a public IP address named myAGPublicIPAddress with az network public-ip create.

az network vnet create `
  --name myVNet `
  --resource-group myResourceGroupAG `
  --location chinanorth `
  --address-prefix 10.0.0.0/16 `
  --subnet-name myBackendSubnet `
  --subnet-prefix 10.0.1.0/24

az network vnet subnet create `
  --name myAGSubnet `
  --resource-group myResourceGroupAG `
  --vnet-name myVNet `
  --address-prefix 10.0.2.0/24

az network public-ip create `
  --resource-group myResourceGroupAG `
  --name myAGPublicIPAddress

创建具有 WAF 的应用程序网关Create an application gateway with a WAF

可以使用 az network application-gateway create 创建名为 myAppGateway 的应用程序网关。You can use az network application-gateway create to create the application gateway named myAppGateway. 使用 Azure CLI 创建应用程序网关时,请指定配置信息,例如容量、sku 和 HTTP 设置。When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings. 将应用程序网关分配给之前创建的 myAGSubnetmyAGPublicIPAddressThe application gateway is assigned to myAGSubnet and myAGPublicIPAddress that you previously created.

az network application-gateway create `
  --name myAppGateway `
  --location chinanorth `
  --resource-group myResourceGroupAG `
  --vnet-name myVNet `
  --subnet myAGSubnet `
  --capacity 2 `
  --sku WAF_Medium `
  --http-settings-cookie-based-affinity Disabled `
  --frontend-port 80 `
  --http-settings-port 80 `
  --http-settings-protocol Http `
  --public-ip-address myAGPublicIPAddress

az network application-gateway waf-config set `
  --enabled true `
  --gateway-name myAppGateway `
  --resource-group myResourceGroupAG `
  --firewall-mode Detection `
  --rule-set-version 3.0

创建应用程序网关可能需要几分钟时间。It may take several minutes for the application gateway to be created. 创建应用程序网关后,可以看到它的这些新功能:After the application gateway is created, you can see these new features of it:

  • appGatewayBackendPool - 应用程序网关必须至少具有一个后端地址池。appGatewayBackendPool - An application gateway must have at least one backend address pool.
  • appGatewayBackendHttpSettings - 指定将端口 80 和 HTTP 协议用于通信。appGatewayBackendHttpSettings - Specifies that port 80 and an HTTP protocol is used for communication.
  • appGatewayHttpListener - 与 appGatewayBackendPool 关联的默认侦听器。appGatewayHttpListener - The default listener associated with appGatewayBackendPool.
  • appGatewayFrontendIP - 将 myAGPublicIPAddress 分配给 appGatewayHttpListenerappGatewayFrontendIP - Assigns myAGPublicIPAddress to appGatewayHttpListener.
  • rule1 - 与 appGatewayHttpListener 关联的默认路由规则。rule1 - The default routing rule that is associated with appGatewayHttpListener.

创建虚拟机规模集Create a virtual machine scale set

在此示例中,将创建虚拟机规模集,以便为应用程序网关的后端池提供两个服务器。In this example, you create a virtual machine scale set that provides two servers for the backend pool in the application gateway. 规模集中的虚拟机与 myBackendSubnet 子网相关联。The virtual machines in the scale set are associated with the myBackendSubnet subnet. 若要创建规模集,可以使用 az vmss createTo create the scale set, you can use az vmss create.

az vmss create `
  --name myvmss `
  --resource-group myResourceGroupAG `
  --image UbuntuLTS `
  --admin-username azureuser `
  --admin-password Azure123456! `
  --instance-count 2 `
  --vnet-name myVNet `
  --subnet myBackendSubnet `
  --vm-sku Standard_DS2 `
  --upgrade-policy-mode Automatic `
  --app-gateway myAppGateway `
  --backend-pool-name appGatewayBackendPool

安装 NGINXInstall NGINX

az vmss extension set `
  --publisher Microsoft.Azure.Extensions `
  --version 2.0 `
  --name CustomScript `
  --resource-group myResourceGroupAG `
  --vmss-name myvmss `
  --settings '{ "fileUris": ["https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/install_nginx.sh"],"commandToExecute": "./install_nginx.sh" }'

创建存储帐户和配置诊断Create a storage account and configure diagnostics

在本文中,应用程序网关使用存储帐户来存储用于检测和防范目的的数据。In this article, the application gateway uses a storage account to store data for detection and prevention purposes. 也可以使用 Azure Monitor 日志或事件中心来记录数据。You could also use Azure Monitor logs or Event Hub to record data.

创建存储帐户Create a storage account

使用 az storage account create 创建名为 myagstore1 的存储帐户。Create a storage account named myagstore1 with az storage account create.

az storage account create `
  --name myagstore1 `
  --resource-group myResourceGroupAG `
  --location chinanorth `
  --sku Standard_LRS `
  --encryption blob

配置诊断Configure diagnostics

配置诊断以将数据记录到 ApplicationGatewayAccessLog、ApplicationGatewayPerformanceLog 和 ApplicationGatewayFirewallLog 日志中。Configure diagnostics to record data into the ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, and ApplicationGatewayFirewallLog logs. <subscriptionId> 替换为你的订阅标识符,然后使用 az monitor diagnostic-settings create 配置诊断。Substitute <subscriptionId> with your subscription identifier and then configure diagnostics with az monitor diagnostic-settings create.

appgwid=$(az network application-gateway show --name myAppGateway --resource-group myResourceGroupAG --query id -o tsv)

storeid=$(az storage account show --name myagstore1 --resource-group myResourceGroupAG --query id -o tsv)

az monitor diagnostic-settings create --name appgwdiag --resource $appgwid \
  --logs '[ { "category": "ApplicationGatewayAccessLog", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } }, { "category": "ApplicationGatewayPerformanceLog", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } }, { "category": "ApplicationGatewayFirewallLog", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } } ]' \
  --storage-account $storeid

测试应用程序网关Test the application gateway

若要获取应用程序网关的公共 IP 地址,请使用 az network public-ip showTo get the public IP address of the application gateway, use az network public-ip show. 复制该公共 IP 地址,并将其粘贴到浏览器的地址栏。Copy the public IP address, and then paste it into the address bar of your browser.

az network public-ip show `
  --resource-group myResourceGroupAG `
  --name myAGPublicIPAddress `
  --query [ipAddress] `
  --output tsv

在应用程序网关中测试基 URL

清理资源Clean up resources

当不再需要资源组、应用程序网关以及所有相关资源时,请将其删除。When no longer needed, remove the resource group, application gateway, and all related resources.

az group delete --name myResourceGroupAG --location chinanorth

后续步骤Next steps