使用 Azure PowerShell 启用 Web 应用程序防火墙Enable web application firewall using Azure PowerShell

应用程序网关上使用 Web 应用程序防火墙 (WAF) 限制流量。You can restrict traffic on an application gateway with a web application firewall (WAF). WAF 使用 OWASP 规则保护应用程序。The WAF uses OWASP rules to protect your application. 这些规则包括针对各种攻击(例如 SQL 注入、跨站点脚本攻击和会话劫持)的保护。These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 设置网络Set up the network
  • 创建启用 WAF 的应用程序网关Create an application gateway with WAF enabled
  • 创建虚拟机规模集Create a virtual machine scale set
  • 创建存储帐户和配置诊断Create a storage account and configure diagnostics

Web 应用程序防火墙示例

如果需要,也可以使用 Azure CLI 完成本教程中的步骤。If you prefer, you can complete this tutorial using Azure CLI.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如果选择在本地安装并使用 PowerShell,则本教程需要 Azure PowerShell 模块 1.0.0 或更高版本。If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version 1.0.0 or later. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Login-AzAccount -Environment AzureChinaCloud 来创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Login-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

创建资源组Create a resource group

资源组是在其中部署和管理 Azure 资源的逻辑容器。A resource group is a logical container into which Azure resources are deployed and managed. 使用 New-AzResourceGroup 创建 Azure 资源组。Create an Azure resource group using New-AzResourceGroup.

New-AzResourceGroup -Name myResourceGroupAG -Location chinanorth

创建网络资源Create network resources

使用 New-AzVirtualNetworkSubnetConfig 创建名为 myBackendSubnetmyAGSubnet 的子网配置。Create the subnet configurations named myBackendSubnet and myAGSubnet using New-AzVirtualNetworkSubnetConfig. 使用 New-AzVirtualNetwork 和子网配置创建名为 myVNet 的虚拟网络。Create the virtual network named myVNet using New-AzVirtualNetwork with the subnet configurations. 最后使用 New-AzPublicIpAddress 创建名为 myAGPublicIPAddress 的公共 IP 地址。And finally, create the public IP address named myAGPublicIPAddress using New-AzPublicIpAddress. 这些资源用于提供与应用程序网关及其关联资源的网络连接。These resources are used to provide network connectivity to the application gateway and its associated resources.

$backendSubnetConfig = New-AzVirtualNetworkSubnetConfig `
  -Name myBackendSubnet `
  -AddressPrefix 10.0.1.0/24

$agSubnetConfig = New-AzVirtualNetworkSubnetConfig `
  -Name myAGSubnet `
  -AddressPrefix 10.0.2.0/24

$vnet = New-AzVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Location chinanorth `
  -Name myVNet `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $backendSubnetConfig, $agSubnetConfig

$pip = New-AzPublicIpAddress `
  -ResourceGroupName myResourceGroupAG `
  -Location chinanorth `
  -Name myAGPublicIPAddress `
  -AllocationMethod Dynamic

创建应用程序网关Create an application gateway

本部分将创建支持应用程序网关的资源,然后最终创建应用程序网关和 WAF。In this section you create resources that support the application gateway, and then finally create it and a WAF. 创建的资源包括:The resources that you create include:

  • IP 配置和前端端口 - 将先前创建的子网关联到应用程序网关,并分配一个端口以用于访问它。IP configurations and frontend port - Associates the subnet that you previously created to the application gateway and assigns a port to use to access it.
  • 默认池 - 所有应用程序网关必须至少具有一个后端服务器池。Default pool - All application gateways must have at least one backend pool of servers.
  • 默认侦听器和规则 - 默认侦听器侦听已分配的端口上的流量,默认规则将流量发送到默认池。Default listener and rule - The default listener listens for traffic on the port that was assigned and the default rule sends traffic to the default pool.

创建 IP 配置和前端端口Create the IP configurations and frontend port

使用 New-AzApplicationGatewayIPConfiguration 将前面创建的 myAGSubnet 关联到应用程序网关。Associate myAGSubnet that you previously created to the application gateway using New-AzApplicationGatewayIPConfiguration. 使用 New-AzApplicationGatewayFrontendIPConfigmyAGPublicIPAddress 分配给应用程序网关。Assign myAGPublicIPAddress to the application gateway using New-AzApplicationGatewayFrontendIPConfig.

$vnet = Get-AzVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Name myVNet

$subnet=$vnet.Subnets[0]

$gipconfig = New-AzApplicationGatewayIPConfiguration `
  -Name myAGIPConfig `
  -Subnet $subnet

$fipconfig = New-AzApplicationGatewayFrontendIPConfig `
  -Name myAGFrontendIPConfig `
  -PublicIPAddress $pip

$frontendport = New-AzApplicationGatewayFrontendPort `
  -Name myFrontendPort `
  -Port 80

创建后端池和设置Create the backend pool and settings

使用 New-AzApplicationGatewayBackendAddressPool 为应用程序网关创建名为 appGatewayBackendPool 的后端池。Create the backend pool named appGatewayBackendPool for the application gateway using New-AzApplicationGatewayBackendAddressPool. 使用 New-AzApplicationGatewayBackendHttpSettings 配置后端地址池的设置。Configure the settings for the backend address pools using New-AzApplicationGatewayBackendHttpSettings.

$defaultPool = New-AzApplicationGatewayBackendAddressPool `
  -Name appGatewayBackendPool

$poolSettings = New-AzApplicationGatewayBackendHttpSettings `
  -Name myPoolSettings `
  -Port 80 `
  -Protocol Http `
  -CookieBasedAffinity Enabled `
  -RequestTimeout 120

创建默认侦听器和规则Create the default listener and rule

应用程序网关需要侦听器才能适当地将流量路由到后端地址池。A listener is required to enable the application gateway to route traffic appropriately to the backend address pools. 在此示例中,将一个创建基本侦听器以侦听根 URL 上的流量。In this example, you create a basic listener that listens for traffic at the root URL.

使用 New-AzApplicationGatewayHttpListener 以及前面创建的前端配置和前端端口创建名为 mydefaultListener 的侦听器。Create a listener named mydefaultListener using New-AzApplicationGatewayHttpListener with the frontend configuration and frontend port that you previously created. 侦听器需要使用规则来了解哪个后端池使用传入流量。A rule is required for the listener to know which backend pool to use for incoming traffic. 使用 New-AzApplicationGatewayRequestRoutingRule 创建一个名为 rule1 的基本规则。Create a basic rule named rule1 using New-AzApplicationGatewayRequestRoutingRule.

$defaultlistener = New-AzApplicationGatewayHttpListener `
  -Name mydefaultListener `
  -Protocol Http `
  -FrontendIPConfiguration $fipconfig `
  -FrontendPort $frontendport

$frontendRule = New-AzApplicationGatewayRequestRoutingRule `
  -Name rule1 `
  -RuleType Basic `
  -HttpListener $defaultlistener `
  -BackendAddressPool $defaultPool `
  -BackendHttpSettings $poolSettings

创建具有 WAF 的应用程序网关Create the application gateway with the WAF

现在已创建所需的支持资源,请使用 New-AzApplicationGatewaySku 为应用程序网关指定参数。Now that you created the necessary supporting resources, specify parameters for the application gateway using New-AzApplicationGatewaySku. 使用 New-AzApplicationGatewayWebApplicationFirewallConfiguration 指定 WAF 配置。Specify the WAF configuration using New-AzApplicationGatewayWebApplicationFirewallConfiguration. 然后,使用 New-AzApplicationGateway 创建名为 myAppGateway 的应用程序网关。And then create the application gateway named myAppGateway using New-AzApplicationGateway.

$sku = New-AzApplicationGatewaySku `
  -Name WAF_Medium `
  -Tier WAF `
  -Capacity 2

$wafConfig = New-AzApplicationGatewayWebApplicationFirewallConfiguration `
  -Enabled $true `
  -FirewallMode "Detection"

$appgw = New-AzApplicationGateway `
  -Name myAppGateway `
  -ResourceGroupName myResourceGroupAG `
  -Location chinanorth `
  -BackendAddressPools $defaultPool `
  -BackendHttpSettingsCollection $poolSettings `
  -FrontendIpConfigurations $fipconfig `
  -GatewayIpConfigurations $gipconfig `
  -FrontendPorts $frontendport `
  -HttpListeners $defaultlistener `
  -RequestRoutingRules $frontendRule `
  -Sku $sku `
  -WebApplicationFirewallConfig $wafConfig

创建虚拟机规模集Create a virtual machine scale set

在此示例中,将创建虚拟机规模集,以便为应用程序网关的后端池提供服务器。In this example, you create a virtual machine scale set to provide servers for the backend pool in the application gateway. 配置 IP 设置时将规模集分配给后端池。You assign the scale set to the backend pool when you configure the IP settings.

$vnet = Get-AzVirtualNetwork `
  -ResourceGroupName myResourceGroupAG `
  -Name myVNet

$appgw = Get-AzApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway

$backendPool = Get-AzApplicationGatewayBackendAddressPool `
  -Name appGatewayBackendPool `
  -ApplicationGateway $appgw

$ipConfig = New-AzVmssIpConfig `
  -Name myVmssIPConfig `
  -SubnetId $vnet.Subnets[1].Id `
  -ApplicationGatewayBackendAddressPoolsId $backendPool.Id

$vmssConfig = New-AzVmssConfig `
  -Location chinanorth `
  -SkuCapacity 2 `
  -SkuName Standard_DS2 `
  -UpgradePolicyMode Automatic

Set-AzVmssStorageProfile $vmssConfig `
  -ImageReferencePublisher MicrosoftWindowsServer `
  -ImageReferenceOffer WindowsServer `
  -ImageReferenceSku 2016-Datacenter `
  -ImageReferenceVersion latest `
  -OsDiskCreateOption FromImage

Set-AzVmssOsProfile $vmssConfig `
  -AdminUsername azureuser `
  -AdminPassword "Azure123456!" `
  -ComputerNamePrefix myvmss

Add-AzVmssNetworkInterfaceConfiguration `
  -VirtualMachineScaleSet $vmssConfig `
  -Name myVmssNetConfig `
  -Primary $true `
  -IPConfiguration $ipConfig

New-AzVmss `
  -ResourceGroupName myResourceGroupAG `
  -Name myvmss `
  -VirtualMachineScaleSet $vmssConfig

安装 IISInstall IIS

$publicSettings = @{ "fileUris" = (,"https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/appgatewayurl.ps1"); 
  "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File appgatewayurl.ps1" }

$vmss = Get-AzVmss -ResourceGroupName myResourceGroupAG -VMScaleSetName myvmss

Add-AzVmssExtension -VirtualMachineScaleSet $vmss `
  -Name "customScript" `
  -Publisher "Microsoft.Compute" `
  -Type "CustomScriptExtension" `
  -TypeHandlerVersion 1.8 `
  -Setting $publicSettings

Update-AzVmss `
  -ResourceGroupName myResourceGroupAG `
  -Name myvmss `
  -VirtualMachineScaleSet $vmss

创建存储帐户和配置诊断Create a storage account and configure diagnostics

在本教程中,应用程序网关使用存储帐户来存储用于检测和防范目的的数据。In this tutorial, the application gateway uses a storage account to store data for detection and prevention purposes. 也可以使用 Azure Monitor 日志或事件中心来记录数据。You could also use Azure Monitor logs or Event Hub to record data.

创建存储帐户Create the storage account

使用 New-AzStorageAccount 创建名为 myagstore1 的存储帐户。Create a storage account named myagstore1 using New-AzStorageAccount.

$storageAccount = New-AzStorageAccount `
  -ResourceGroupName myResourceGroupAG `
  -Name myagstore1 `
  -Location chinanorth `
  -SkuName "Standard_LRS"

配置诊断Configure diagnostics

使用 Set-AzDiagnosticSetting 配置诊断以将数据记录到 ApplicationGatewayAccessLog、ApplicationGatewayPerformanceLog 和 ApplicationGatewayFirewallLog 日志中。Configure diagnostics to record data into the ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, and ApplicationGatewayFirewallLog logs using Set-AzDiagnosticSetting.

$appgw = Get-AzApplicationGateway `
  -ResourceGroupName myResourceGroupAG `
  -Name myAppGateway

$store = Get-AzStorageAccount `
  -ResourceGroupName myResourceGroupAG `
  -Name myagstore1

Set-AzDiagnosticSetting `
  -ResourceId $appgw.Id `
  -StorageAccountId $store.Id `
  -Categories ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog `
  -Enabled $true `
  -RetentionEnabled $true `
  -RetentionInDays 30

测试应用程序网关Test the application gateway

可以使用 Get-AzPublicIPAddress 获取应用程序网关的公共 IP 地址。You can use Get-AzPublicIPAddress to get the public IP address of the application gateway. 复制该公共 IP 地址,并将其粘贴到浏览器的地址栏。Copy the public IP address, and then paste it into the address bar of your browser.

Get-AzPublicIPAddress -ResourceGroupName myResourceGroupAG -Name myAGPublicIPAddress

在应用程序网关中测试基 URL

清理资源Clean up resources

如果不再需要资源组、应用程序网关和所有相关资源,可以使用 Remove-AzResourceGroup 将其删除。When no longer needed, remove the resource group, application gateway, and all related resources using Remove-AzResourceGroup.

Remove-AzResourceGroup -Name myResourceGroupAG

后续步骤Next steps

在本教程中,你已学习了如何执行以下操作:In this tutorial, you learned how to:

  • 设置网络Set up the network
  • 创建启用 WAF 的应用程序网关Create an application gateway with WAF enabled
  • 创建虚拟机规模集Create a virtual machine scale set
  • 创建存储帐户和配置诊断Create a storage account and configure diagnostics