Create the Application Gateway resources
You are now ready to create an Application Gateway instance to expose your application to the internet. You will also need to create a WAF policy, when you use the WAF_v2 sku for Application Gateway. You can use the following guidance to perform this task:
- Create Web Application Firewall policies for Application Gateway.
- Create the Application Gateway resources.
An Application Gateway resource needs a dedicated subnet to be deployed into, however, you already created this subnet at the beginning of this exercise.
Step by step guidance
-
An Application Gateway instance also needs a public IP address, which you will create next by running the following commands from the Git Bash shell:
APPLICATION_GATEWAY_PUBLIC_IP_NAME=pip-$APPNAME-app-gw az network public-ip create \ --resource-group $RESOURCE_GROUP \ --location $LOCATION \ --name $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ --allocation-method Static \ --sku Standard \ --dns-name $DNS_LABEL
-
In addition, an Application Gateway instance also needs to have access to the self-signed certificate in your Key Vault. To accomplish this, you will create a managed identity associated with the Application Gateway instance and retrieve the object ID of this identity.
APPGW_IDENTITY_NAME=id-$APPNAME-appgw az identity create \ --resource-group $RESOURCE_GROUP \ --name $APPGW_IDENTITY_NAME APPGW_IDENTITY_CLIENTID=$(az identity show --resource-group $RESOURCE_GROUP --name $APPGW_IDENTITY_NAME --query clientId --output tsv) APPGW_IDENTITY_OID=$(az ad sp show --id $APPGW_IDENTITY_CLIENTID --query id --output tsv)
-
You can now reference the object ID when granting the
get
andlist
permissions to the Key Vault secrets and certificates.az keyvault set-policy \ --name $KEYVAULT_NAME \ --resource-group $RESOURCE_GROUP \ --object-id $APPGW_IDENTITY_OID \ --secret-permissions get list \ --certificate-permissions get list
It might be that this step fails with an
unauthorized
in case you use a subscription that has additional policy settings and when you run these steps from a codespace. To recover from this error, re-execute these steps in a cloud shell. This should succeed.In order for this implementation to work, the Application Gateway instance requires access to certificate and secrets in the Azure Key Vault instance.
-
Next, you need to retrieve the ID of the self-signed certificate stored in your Key Vault (you will use it in the next step of this task).
KEYVAULT_SECRET_ID_FOR_CERT=$(az keyvault certificate show --name $CERT_NAME_IN_KV --vault-name $KEYVAULT_NAME --query sid --output tsv)
-
Before you can create the Application Gateway, you will also need to create the WAF policy for the gateway.
WAF_POLICY_NAME=waf-$APPNAME-$UNIQUEID az network application-gateway waf-policy create \ --name $WAF_POLICY_NAME \ --resource-group $RESOURCE_GROUP
-
With all relevant information collected, you can now provision an instance of Application Gateway.
APPGW_NAME=agw-$APPNAME-$UNIQUEID az network application-gateway create \ --name $APPGW_NAME \ --resource-group $RESOURCE_GROUP \ --location $LOCATION \ --capacity 2 \ --sku WAF_v2 \ --frontend-port 443 \ --http-settings-cookie-based-affinity Disabled \ --http-settings-port 8080 \ --http-settings-protocol Http \ --public-ip-address $APPLICATION_GATEWAY_PUBLIC_IP_NAME \ --vnet-name $VIRTUAL_NETWORK_NAME \ --subnet $APPLICATION_GATEWAY_SUBNET_NAME \ --servers $AKS_MC_LB_INTERNAL_FE_IP1 \ --key-vault-secret-id $KEYVAULT_SECRET_ID_FOR_CERT \ --identity $APPGW_IDENTITY_NAME \ --priority "1" \ --waf-policy $WAF_POLICY_NAME
Wait for the provisioning to complete. This might take about 5 minutes.