快速入门:使用 Bicep 在应用程序网关上创建 Azure WAF v2
在本快速入门中,你将使用 Bicep 在应用程序网关上创建 Azure Web 应用程序防火墙 v2。
Bicep 是一种特定于域的语言 (DSL),使用声明性语法来部署 Azure 资源。 它提供简明的语法、可靠的类型安全性以及对代码重用的支持。 Bicep 会针对你的 Azure 基础结构即代码解决方案提供最佳创作体验。
注意
建议使用 Azure Az PowerShell 模块与 Azure 交互。 请参阅安装 Azure PowerShell 以开始使用。 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 Az。
- 具有活动订阅的 Azure 帐户。 创建帐户。
此 Bicep 文件在 Azure 应用程序网关上创建简单的 Web 应用程序防火墙 v2。 这包括公共 IP 前端 IP 地址、HTTP 设置、包含端口 80 上的基本侦听器的规则,以及后端池。 此文件还创建一个包含自定义规则的 WAF 策略,以根据 IP 地址匹配类型阻止发往后端池的流量。
本快速入门中使用的 Bicep 文件来自 Azure 快速入门模板。
@description('Admin username for the backend servers')
param adminUsername string
@description('Password for the admin account on the backend servers')
@secure()
param adminPassword string
@description('Location for all resources.')
param location string = resourceGroup().location
@description('Size of the virtual machine.')
param vmSize string = 'Standard_B2ms'
var virtualMachines_myVM_name = 'myVM'
var virtualNetworks_myVNet_name = 'myVNet'
var myNic_name = 'net-int'
var ipconfig_name = 'ipconfig'
var publicIPAddress_name = 'public_ip'
var nsg_name = 'vm-nsg'
var applicationGateways_myAppGateway_name = 'myAppGateway'
var vnet_prefix = '10.0.0.0/16'
var ag_subnet_prefix = '10.0.0.0/24'
var backend_subnet_prefix = '10.0.1.0/24'
var AppGW_AppFW_Pol_name = 'WafPol01'
resource nsg 'Microsoft.Network/networkSecurityGroups@2021-08-01' = [for i in range(0, 2): {
name: '${nsg_name}${(i + 1)}'
location: location
properties: {
securityRules: [
{
name: 'RDP'
properties: {
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '3389'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
access: 'Allow'
priority: 300
direction: 'Inbound'
}
}
]
}
}]
resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-08-01' = [for i in range(0, 3): {
name: '${publicIPAddress_name}${i}'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAddressVersion: 'IPv4'
publicIPAllocationMethod: 'Static'
idleTimeoutInMinutes: 4
}
}]
resource myVNet 'Microsoft.Network/virtualNetworks@2021-08-01' = {
name: virtualNetworks_myVNet_name
location: location
properties: {
addressSpace: {
addressPrefixes: [
vnet_prefix
]
}
subnets: [
{
name: 'myAGSubnet'
properties: {
addressPrefix: ag_subnet_prefix
privateEndpointNetworkPolicies: 'Enabled'
privateLinkServiceNetworkPolicies: 'Enabled'
}
}
{
name: 'myBackendSubnet'
properties: {
addressPrefix: backend_subnet_prefix
privateEndpointNetworkPolicies: 'Enabled'
privateLinkServiceNetworkPolicies: 'Enabled'
}
}
]
enableDdosProtection: false
enableVmProtection: false
}
}
resource myVM 'Microsoft.Compute/virtualMachines@2021-11-01' = [for i in range(0, 2): {
name: '${virtualMachines_myVM_name}${(i + 1)}'
location: location
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftWindowsServer'
offer: 'WindowsServer'
sku: '2019-Datacenter'
version: 'latest'
}
osDisk: {
osType: 'Windows'
createOption: 'FromImage'
caching: 'ReadWrite'
managedDisk: {
storageAccountType: 'StandardSSD_LRS'
}
diskSizeGB: 127
}
}
osProfile: {
computerName: '${virtualMachines_myVM_name}${(i + 1)}'
adminUsername: adminUsername
adminPassword: adminPassword
windowsConfiguration: {
provisionVMAgent: true
enableAutomaticUpdates: true
}
allowExtensionOperations: true
}
networkProfile: {
networkInterfaces: [
{
id: resourceId('Microsoft.Network/networkInterfaces', '${myNic_name}${(i + 1)}')
}
]
}
}
dependsOn: [
myNic
]
}]
resource myVM_IIS 'Microsoft.Compute/virtualMachines/extensions@2021-11-01' = [for i in range(0, 2): {
name: '${virtualMachines_myVM_name}${(i + 1)}/IIS'
location: location
properties: {
autoUpgradeMinorVersion: true
publisher: 'Microsoft.Compute'
type: 'CustomScriptExtension'
typeHandlerVersion: '1.4'
settings: {
commandToExecute: 'powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path "C:\\inetpub\\wwwroot\\Default.htm" -Value $($env:computername)'
}
}
dependsOn: [
myVM
]
}]
resource myAppGateway 'Microsoft.Network/applicationGateways@2021-08-01' = {
name: applicationGateways_myAppGateway_name
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
capacity: 2
}
gatewayIPConfigurations: [
{
name: 'appGatewayIpConfig'
properties: {
subnet: {
id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworks_myVNet_name, 'myAGSubnet')
}
}
}
]
frontendIPConfigurations: [
{
name: 'appGwPublicFrontendIp'
properties: {
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: {
id: resourceId('Microsoft.Network/publicIPAddresses', '${publicIPAddress_name}0')
}
}
}
]
frontendPorts: [
{
name: 'port_80'
properties: {
port: 80
}
}
]
backendAddressPools: [
{
name: 'myBackendPool'
properties: {}
}
]
backendHttpSettingsCollection: [
{
name: 'myHTTPSetting'
properties: {
port: 80
protocol: 'Http'
cookieBasedAffinity: 'Disabled'
pickHostNameFromBackendAddress: false
requestTimeout: 20
}
}
]
httpListeners: [
{
name: 'myListener'
properties: {
firewallPolicy: {
id: AppGW_AppFW_Pol.id
}
frontendIPConfiguration: {
id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', applicationGateways_myAppGateway_name, 'appGwPublicFrontendIp')
}
frontendPort: {
id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', applicationGateways_myAppGateway_name, 'port_80')
}
protocol: 'Http'
requireServerNameIndication: false
}
}
]
requestRoutingRules: [
{
name: 'myRoutingRule'
properties: {
ruleType: 'Basic'
priority: 10
httpListener: {
id: resourceId('Microsoft.Network/applicationGateways/httpListeners', applicationGateways_myAppGateway_name, 'myListener')
}
backendAddressPool: {
id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGateways_myAppGateway_name, 'myBackendPool')
}
backendHttpSettings: {
id: resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', applicationGateways_myAppGateway_name, 'myHTTPSetting')
}
}
}
]
enableHttp2: false
firewallPolicy: {
id: AppGW_AppFW_Pol.id
}
}
dependsOn: [
myVNet
publicIPAddress
]
}
resource AppGW_AppFW_Pol 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-08-01' = {
name: AppGW_AppFW_Pol_name
location: location
properties: {
customRules: [
{
name: 'CustRule01'
priority: 100
ruleType: 'MatchRule'
action: 'Block'
matchConditions: [
{
matchVariables: [
{
variableName: 'RemoteAddr'
}
]
operator: 'IPMatch'
negationConditon: true
matchValues: [
'10.10.10.0/24'
]
}
]
}
]
policySettings: {
requestBodyCheck: true
maxRequestBodySizeInKb: 128
fileUploadLimitInMb: 100
state: 'Enabled'
mode: 'Prevention'
}
managedRules: {
managedRuleSets: [
{
ruleSetType: 'OWASP'
ruleSetVersion: '3.1'
}
]
}
}
}
resource myNic 'Microsoft.Network/networkInterfaces@2021-08-01' = [for i in range(0, 2): {
name: '${myNic_name}${(i + 1)}'
location: location
properties: {
ipConfigurations: [
{
name: '${ipconfig_name}${(i + 1)}'
properties: {
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: {
id: resourceId('Microsoft.Network/publicIPAddresses', '${publicIPAddress_name}${(i + 1)}')
}
subnet: {
id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworks_myVNet_name, 'myBackendSubnet')
}
primary: true
privateIPAddressVersion: 'IPv4'
applicationGatewayBackendAddressPools: [
{
id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGateways_myAppGateway_name, 'myBackendPool')
}
]
}
}
]
enableAcceleratedNetworking: false
enableIPForwarding: false
networkSecurityGroup: {
id: resourceId('Microsoft.Network/networkSecurityGroups', '${nsg_name}${(i + 1)}')
}
}
dependsOn: [
publicIPAddress
myVNet
myAppGateway
nsg
]
}]
该 Bicep 文件中定义了多个 Azure 资源:
- Microsoft.Network/applicationgateways
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
- Microsoft.Network/publicIPAddresses:一个用于应用程序网关,两个用于虚拟机。
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Compute/virtualMachines:两个虚拟机
- Microsoft.Network/networkInterfaces:两个用于虚拟机
- Microsoft.Compute/virtualMachine/extensions:用于配置 IIS 和网页
将该 Bicep 文件另存为本地计算机上的 main.bicep。
使用 Azure CLI 或 Azure PowerShell 来部署该 Bicep 文件。
az group create --name exampleRG --location chinanorth2 az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-user>
注意
系统会提示你输入 adminPassword,这是后端服务器上的管理员帐户的密码。 密码长度必须介于 8-123 个字符之间,密码必须至少包含以下字符类型中的三个类型:大写字符、小写字符、数字或特殊字符。
部署完成后,应会看到一条指出部署成功的消息。 部署可能需要 10 分钟或更长时间才能完成。
虽然无需 IIS 即可创建应用程序网关,但在后端服务器上安装 IIS 可以验证 Azure 是否已在应用程序网关上成功创建 WAF v2。
使用 IIS 测试应用程序网关:
在应用程序网关的“概述”页上找到其公共 IP 地址。
复制公共 IP 地址,然后将其粘贴到浏览器的地址栏中,以便浏览该 IP 地址。
检查响应。 “403 禁止”响应表示 WAF 已成功创建,并正在阻止与后端池建立连接。
使用 Azure PowerShell 将自定义规则更改为“允许流量”。
$rgName = "exampleRG" $appGWName = "myAppGateway" $fwPolicyName = "WafPol01" # Pull the existing Azure resources $appGW = Get-AzApplicationGateway -Name $appGWName -ResourceGroupName $rgName $pol = Get-AzApplicationGatewayFirewallPolicy -Name $fwPolicyName -ResourceGroupName $rgName # Update the resources $pol[0].CustomRules[0].Action = "allow" $appGW.FirewallPolicy = $pol # Push your changes to Azure Set-AzApplicationGatewayFirewallPolicy -Name $fwPolicyName -ResourceGroupName $rgName -CustomRule $pol.CustomRules Set-AzApplicationGateway -ApplicationGateway $appGW
多次刷新浏览器就会看到与 myVM1 和 myVM2 的连接。
如果不再需要通过应用程序网关创建的资源,请使用 Azure 门户、Azure CLI 或 Azure PowerShell 删除资源组。 这样会删除应用程序网关和所有相关的资源。
az group delete --name exampleRG