Create the Application Gateway resource

You are now ready to create an Application Gateway instance to expose your application to the internet. You will also need to create a WAF policy, when you use the WAF_v2 sku for Application Gateway. You can use the following guidance to perform this task:

• Create Web Application Firewall policies for Application Gateway.
• Create the Application Gateway resources.

An Application Gateway resource needs a dedicated subnet to be deployed into, however, you already created this subnet at the beginning of this exercise.

Step by step guidance

1. An Application Gateway instance also needs a public IP address, which you will create next by running the following commands from the Git Bash shell:

   APPLICATION_GATEWAY_PUBLIC_IP_NAME=pip-$APPNAME-app-gw2
   az network public-ip create \
       --resource-group $RESOURCE_GROUP \
       --location $LOCATION \
       --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \
       --allocation-method Static \
       --sku Standard \
       --dns-name $DNS_LABEL
   

2. In addition, an Application Gateway instance also needs to have access to the self-signed certificate in your Key Vault. To accomplish this, you will create a managed identity associated with the Application Gateway instance and retrieve the object ID of this identity.

   APPGW_IDENTITY_NAME=id-$APPNAME-appgw
   az identity create \
       --resource-group $RESOURCE_GROUP \
       --name $APPGW_IDENTITY_NAME
   
   APPGW_IDENTITY_CLIENTID=$(az identity show --resource-group $RESOURCE_GROUP --name $APPGW_IDENTITY_NAME --query clientId --output tsv)
   APPGW_IDENTITY_OID=$(az ad sp show --id $APPGW_IDENTITY_CLIENTID --query id --output tsv)
   

3. You can now reference the object ID when granting the RBAC permissions to the Key Vault secrets and certificates.

   az role assignment create \
      --role "Key Vault Secrets Officer" \
      --assignee $APPGW_IDENTITY_OID \
      --scope $KEYVAULT_ID
   
   az role assignment create \
      --role "Key Vault Certificates Officer" \
      --assignee $APPGW_IDENTITY_OID \
      --scope $KEYVAULT_ID
   

   It might be that this step fails with an unauthorized in case you use a subscription that has additional policy settings and when you run these steps from a codespace. To recover from this error, re-execute these steps in a cloud shell. This should succeed.

   In order for this implementation to work, the Application Gateway instance requires access to certificates and secrets in the Azure Key Vault instance.

4. Next, you need to retrieve the ID of the self-signed certificate stored in your Key Vault (you will use it in the next step of this task).

   KEYVAULT_SECRET_ID_FOR_CERT=$(az keyvault certificate show --name $CERT_NAME_IN_KV --vault-name $KEYVAULT_NAME --query sid --output tsv)
   

5. Before you can create the Application Gateway, you will also need to create the WAF policy for the gateway.

    WAF_POLICY_NAME=waf-$APPNAME-$UNIQUEID
    az network application-gateway waf-policy create \
        --name $WAF_POLICY_NAME \
        --resource-group $RESOURCE_GROUP
   

6. You will also need the FQDN name of the api-gateway to use as a backend server in your Application Gatway setu.

   BACKEND_SERVER_FQDN=$(az containerapp show \
                         --resource-group $RESOURCE_GROUP \
                         --name api-gateway \
                         --query properties.configuration.ingress.fqdn \
                         -o tsv)
   echo $BACKEND_SERVER_FQDN
   

7. With all relevant information collected, you can now provision an instance of Application Gateway.

   APPGW_NAME=agw-$APPNAME-$UNIQUEID
   
   az network application-gateway create \
          --name $APPGW_NAME \
          --resource-group $RESOURCE_GROUP \
          --location $LOCATION \
          --capacity 2 \
          --sku WAF_v2 \
          --frontend-port 443 \
          --http-settings-cookie-based-affinity Disabled \
          --http-settings-port 443 \
          --http-settings-protocol Https \
          --public-ip-address $APPLICATION_GATEWAY_PUBLIC_IP_NAME \
          --vnet-name $VIRTUAL_NETWORK_NAME \
          --subnet $APPLICATION_GATEWAY_SUBNET_NAME \
          --servers  $BACKEND_SERVER_FQDN \
          --key-vault-secret-id $KEYVAULT_SECRET_ID_FOR_CERT \
          --identity $APPGW_IDENTITY_NAME \
          --priority "1" \
          --waf-policy $WAF_POLICY_NAME
   

   Wait for the provisioning to complete. This might take about 5 minutes.

8. Once provisioned, you can update the backend settings so they point to your Azure Container Apps environment.

   az network application-gateway http-settings update \
         --resource-group $RESOURCE_GROUP \
         --gateway-name $APPGW_NAME \
         --name appGatewayBackendHttpSettings \
         --protocol Https \
         --port 443 \
         --host-name-from-backend-pool true