Deploying Azure Application Gateway using Azure CLI and ARM templates for automation

Here are the Azure CLI commands and ARM (Azure Resource Manager) template examples for deploying an Azure Application Gateway, including the configuration of backend pools, routing rules, and SSL termination.

Azure CLI Deployment

You can use the Azure CLI to create and configure the Azure Application Gateway, backend pool, routing rules, and SSL termination.

a. Create a Resource Group

xxxxxxxxxx
3
1
az group create \
2
--name MyResourceGroup \
3
--location eastus

b. Create a Virtual Network and Subnets

​x
1
az network vnet create \
2
--name MyVNet \
3
--resource-group MyResourceGroup \
4
--location eastus \
5
--address-prefix 10.0.0.0/16 \
6
--subnet-name GatewaySubnet \
7
--subnet-prefix 10.0.1.0/24
8

9
az network vnet subnet create \
10
--name BackendSubnet \
11
--resource-group MyResourceGroup \
12
--vnet-name MyVNet \
13
--address-prefix 10.0.2.0/24

c. Create Public IP for Application Gateway

xxxxxxxxxx
5
1
az network public-ip create \
2
--name MyPublicIP \
3
--resource-group MyResourceGroup \
4
--allocation-method Static \
5
--sku Standard

d. Create Application Gateway

xxxxxxxxxx
9
1
az network application-gateway create \
2
--name MyAppGateway \
3
--resource-group MyResourceGroup \
4
--location eastus \
5
--vnet-name MyVNet \
6
--subnet GatewaySubnet \
7
--capacity 2 \
8
--sku Standard_v2 \
9
--public-ip-address MyPublicIP

e. Configure Backend Pool

xxxxxxxxxx
5
1
az network application-gateway address-pool create \
2
--gateway-name MyAppGateway \
3
--resource-group MyResourceGroup \
4
--name MyBackendPool \
5
--backend-address 10.0.2.4 10.0.2.5

f. Configure HTTP Settings

xxxxxxxxxx
8
1
az network application-gateway http-settings create \
2
--gateway-name MyAppGateway \
3
--resource-group MyResourceGroup \
4
--name MyHttpSettings \
5
--port 80 \
6
--protocol Http \
7
--cookie-based-affinity Disabled \
8
--timeout 20

g. Create Listener

xxxxxxxxxx
7
1
az network application-gateway listener create \
2
--gateway-name MyAppGateway \
3
--resource-group MyResourceGroup \
4
--name MyListener \
5
--frontend-ip MyPublicIP \
6
--frontend-port 80 \
7
--protocol Http

h. Create Routing Rules (Basic or Path-Based)

For path-based routing:

xxxxxxxxxx
8
1
az network application-gateway url-path-map rule add \
2
--gateway-name MyAppGateway \
3
--resource-group MyResourceGroup \
4
--name MyUrlPathMap \
5
--rule-name MyRule \
6
--paths "/api/*" \
7
--address-pool MyBackendPool \
8
--http-settings MyHttpSettings

i. Enable SSL Termination

1. First, upload your SSL certificate to Key Vault (if needed):

xxxxxxxxxx
4
1
az keyvault certificate import \
2
--vault-name MyKeyVault \
3
--name MySslCertificate \
4
--file "/path/to/certificate.pfx"

2. Then, create the HTTPS listener with SSL termination:

xxxxxxxxxx
8
1
az network application-gateway listener create \
2
--gateway-name MyAppGateway \
3
--resource-group MyResourceGroup \
4
--name MyHttpsListener \
5
--frontend-ip MyPublicIP \
6
--frontend-port 443 \
7
--protocol Https \
8
--ssl-cert MySslCertificate

j. Create Web Application Firewall (Optional)

xxxxxxxxxx
15
1
az network application-gateway waf-policy create \
2
--resource-group MyResourceGroup \
3
--name MyWafPolicy
4

5
az network application-gateway waf-policy rule-set add \
6
--policy-name MyWafPolicy \
7
--resource-group MyResourceGroup \
8
--rule-set-type OWASP \
9
--rule-set-version 3.2
10

11
az network application-gateway update \
12
--name MyAppGateway \
13
--resource-group MyResourceGroup \
14
--set enableFirewall=true \
15
--waf-policy MyWafPolicy

ARM Template for Application Gateway Deployment

Below is an example ARM template to deploy an Azure Application Gateway with SSL termination, routing rules, and Web Application Firewall (WAF).

Save this as a .json file (e.g., application-gateway-deployment.json).

xxxxxxxxxx
141
1
{
2
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3
  "contentVersion": "1.0.0.0",
4
  "resources": [
5
    {
6
      "type": "Microsoft.Network/applicationGateways",
7
      "apiVersion": "2021-05-01",
8
      "location": "eastus",
9
      "properties": {
10
        "sku": {
11
          "name": "Standard_v2",
12
          "tier": "Standard_v2",
13
          "capacity": 2
14
        },
15
        "gatewayIPConfigurations": [
16
          {
17
            "name": "appGwIpConfig",
18
            "properties": {
19
              "subnet": {
20
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'MyVNet', 'GatewaySubnet')]"
21
              }
22
            }
23
          }
24
        ],
25
        "frontendIPConfigurations": [
26
          {
27
            "name": "appGwFrontendIP",
28
            "properties": {
29
              "PublicIPAddress": {
30
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'MyPublicIP')]"
31
              }
32
            }
33
          }
34
        ],
35
        "frontendPorts": [
36
          {
37
            "name": "appGwFrontendPortHttp",
38
            "properties": {
39
              "port": 80
40
            }
41
          },
42
          {
43
            "name": "appGwFrontendPortHttps",
44
            "properties": {
45
              "port": 443
46
            }
47
          }
48
        ],
49
        "listeners": [
50
          {
51
            "name": "appGwHttpListener",
52
            "properties": {
53
              "frontendIPConfiguration": {
54
                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', 'appGwFrontendIP')]"
55
              },
56
              "frontendPort": {
57
                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', 'appGwFrontendPortHttp')]"
58
              },
59
              "protocol": "Http"
60
            }
61
          },
62
          {
63
            "name": "appGwHttpsListener",
64
            "properties": {
65
              "frontendIPConfiguration": {
66
                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', 'appGwFrontendIP')]"
67
              },
68
              "frontendPort": {
69
                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', 'appGwFrontendPortHttps')]"
70
              },
71
              "protocol": "Https",
72
              "sslCertificate": {
73
                "data": "[parameters('sslCertificateData')]",
74
                "password": "[parameters('sslCertificatePassword')]"
75
              }
76
            }
77
          }
78
        ],
79
        "backendAddressPools": [
80
          {
81
            "name": "appGwBackendPool",
82
            "properties": {
83
              "backendAddresses": [
84
                {
85
                  "ipAddress": "10.0.2.4"
86
                },
87
                {
88
                  "ipAddress": "10.0.2.5"
89
                }
90
              ]
91
            }
92
          }
93
        ],
94
        "backendHttpSettingsCollection": [
95
          {
96
            "name": "appGwHttpSettings",
97
            "properties": {
98
              "port": 80,
99
              "protocol": "Http",
100
              "cookieBasedAffinity": "Disabled",
101
              "requestTimeout": {
102
                "seconds": 20
103
              }
104
            }
105
          }
106
        ],
107
        "urlPathMaps": [
108
          {
109
            "name": "pathMap",
110
            "properties": {
111
              "defaultBackendAddressPool": {
112
                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', 'appGwBackendPool')]"
113
              },
114
              "defaultBackendHttpSettings": {
115
                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', 'appGwHttpSettings')]"
116
              },
117
              "defaultRedirectConfiguration": {
118
                "statusCode": "PermanentRedirect",
119
                "targetUrl": "https://www.redirecturl.com"
120
              },
121
              "pathRules": [
122
                {
123
                  "name": "apiRule",
124
                  "properties": {
125
                    "paths": ["/api/*"],
126
                    "backendAddressPool": {
127
                      "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', 'appGwBackendPool')]"
128
                    },
129
                    "backendHttpSettings": {
130
                      "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', 'appGwHttpSettings')]"
131
                    }
132
                  }
133
                }
134
              ]
135
            }
136
          }
137
        ]
138
      }
139
    }
140
  ]
141
}

Deploying the ARM Template

To deploy this template using the Azure CLI:

xxxxxxxxxx
3
1
az deployment group create \
2
--resource-group MyResourceGroup \
3
--template-file application-gateway-deployment.json

Key Considerations

SSL Certificate

You can import your SSL certificate into Azure Key Vault or store it as a parameter in the ARM template (like in the example above).

Path-Based Routing

The ARM template above demonstrates routing /api/* to the backend pool.

You can modify paths as needed for your setup.

Web Application Firewall

If you need to enable WAF, refer to the WAF section in the ARM template to apply a WAF policy.

Write in comments, if you need further help on any specific part of the implementation.